Slack has notified roughly 0.5% of its users that it reset their passwords after fixing a bug that exposed salted password hashes when creating or revoking shared invitation links for workspaces.
Reported by BleepingComputer, Slack said “when a user performed either of these actions, Slack transmitted a hashed version of their password (not plaintext) to other workspace members.”
“Although this data was shared via the new or deactivated invitation link, the Slack client did not store or display this data to members of that workspace.”
An independent security researcher disclosed the bug to Slack on 17th July. The issue affected all users who created or revoked shared invitations between April 17th 2017 and July 17th 2022.
The hashed passwords were not visible to Slack clients though, as active monitoring of encrypted network traffic from Slack’s servers is required to access this exposed information.
The company added that it has no reason to consider that the bug was used to gain access to plaintext passwords before being fixed.
