Office communication platform Slack has admitted to accidentally exposing the hashed passwords of some users.
According to Wired, the vulnerability which exposed cryptographically scrambled versions of some users' passwords goes back five years, between April 17, 2017 and July 17, 2022 and impacted anyone who created or revoked a shared invite link.
The workspace application began sending password reset links to affected users on August 4, a few days after an independent security researchers disclosed the vulnerability to Slack on July 17. Slack said the flaw impacted about 0.5 percent of its users, which could mean approximately 50,000 users, as the company said it had over 10 million daily active users in 2019.
“We immediately took steps to implement a fix and released an update the same day the bug was discovered, on July 17th, 2022,” the company said in a statement. “Slack has informed all impacted customers and the passwords for impacted users have been reset.”
According to Slack, the security vulnerability was immediately fixed. It's unlikely that the hashed passwords were compromised, as they are not the same as the plaintext password, but a cryptographic technique to store data. “In other words, it is practically infeasible for a password to be derived from the hash, and no one can directly use the hash to authenticate,” Slack says. “We use a technique called salting to further protect these hashes.”
Sharon Nachshony, Security Researcher at Silverfort, explains, “Hashes of salted passwords being leaked is not as dangerous as exposing them in plain-text, as an attacker would have to use brute-force methods — essentially automating a script to guess passwords — which takes some time."
While this makes exploitation less likely, Nachshony says “a threat actor may still be motivated to do this because Slack is used by so many companies. Incidents like these are once again a clear argument for users to enable MFA. If implemented correctly, this would alert the legitimate user to any authentication attempt on their behalf, denying any malicious access attempt.”
Slack is recommending all users to implement two-factor authentication to ensure their computer software and antivirus software are up to date, create new passwords for every service they use and use a password manager.