Threat Watch

Slack Resets User Passwords After Password Hashes Found in Invitations

Slack has reset 0.5% of its users’ passwords following the discovery of salted password hashes being exposed to other users in shared workspaces. Discovered by an independent security researcher, the bug affected all users who created or revoked shared workspace invite links between April 17, 2017, and July 17, 2022, the day it was reported. Hashed passwords were fortunately not visible to Slack clients, and Slack claims that monitoring encrypted traffic from Slack’s servers would be required to access the exposed information.

Slack has found no evidence that any plaintext passwords were obtained during the bug’s lifetime but decided to reset affected user passwords out of an abundance of caution. While the salted and hashed passwords have the potential to be cracked via brute force, it would be difficult and time consuming based on the hashing algorithms used.


Fortunately, no action is required by Slack users at this time beyond the password reset that Slack has sent to affected users.
In general, strong password security would be very beneficial in this case, or any other case where hashed passwords are leaked. A sufficiently long and random password causes brute force cracking of the hash to become far more difficult. It’s also important to use a unique password for every service so that in the event of a successful brute force of the hash, the impact is contained to a single website/service. A password manager makes using unique passwords on every site very simple, and we highly recommend using them.