Slack has reset 0.5% of its users’ passwords following the discovery of salted password hashes being exposed to other users in shared workspaces. Discovered by an independent security researcher, the bug affected all users who created or revoked shared workspace invite links between April 17, 2017, and July 17, 2022, the day it was reported. Hashed passwords were fortunately not visible to Slack clients, and Slack claims that monitoring encrypted traffic from Slack’s servers would be required to access the exposed information.
Slack has found no evidence that any plaintext passwords were obtained during the bug’s lifetime but decided to reset affected user passwords out of an abundance of caution. While the salted and hashed passwords have the potential to be cracked via brute force, it would be difficult and time consuming based on the hashing algorithms used.