On August 4, 2022, we notified approximately 0.5% of Slack users that we reset their passwords in response to a bug that occurred when users created or revoked a Shared Invite Link for their workspace. When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members. This hashed password was not visible in any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers. This bug was discovered by an independent security researcher and disclosed to us on July 17, 2022. It affected all users who created or revoked Shared Invite Links between April 17, 2017 and July 17, 2022.
Upon receiving the report from the security researcher, we immediately fixed the underlying bug, and then began investigating the potential impact of this issue on our customers. We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue. However, for the sake of caution, we have reset affected users’ Slack passwords. They will need to set a new Slack password before they can log in again.
FAQ
What is a hashed password?
The hash of a password is not the same as the plaintext password itself; it is a cryptographic technique to store data in a way that is secure, but not reversible. In other words, it is practically infeasible for a password to be derived from the hash, and no one can directly use the hash to authenticate. We use a technique called salting to further protect these hashes.
What do I do if my password is being reset by Slack?
All active accounts requiring a password reset are being notified directly with instructions. For information on password resets at any time, please visit our Help Center: https://get.slack.help/hc/en-us/articles/201909068
How can I review access to my account?
Each user can review the personal access logs for their account, or download a complete CSV export, at any time by visiting https://my.slack.com/account/logs. Owners and administrators on all paid plans can learn more about viewing the access logs for their workspace in our Help Center: https://get.slack.help/hc/en-us/articles/360002084807-View-Access-Logs-for-your-workspace
Who can I reach if I have additional questions?
If you have questions outside of those covered here, please contact us at feedback@slack.com.
What steps can I take to further secure my account?
We recommend all users use two-factor authentication, ensure that their computer software and antivirus software are up to date, and create new, unique passwords for every service they use and use a password manager.