On 4 August 2022, we notified approximately 0.5% of Slack users that we had reset their passwords in response to a bug that occurred when users created or revoked a shared invitation link for their workspace. When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members. This hashed password was not visible to any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers. This bug was discovered by an independent security researcher and disclosed to us on 17 July 2022. It affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.
Upon receiving the report from the security researcher, we immediately fixed the underlying bug and then began investigating the potential impact of this issue on our customers. We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue. However, for the sake of caution, we have reset affected users’ Slack passwords. They will need to set a new Slack password before they can log in again.
What is a hashed password?
The hash of a password is not the same as the plaintext password itself; it is a cryptographic technique to store data in a way that is secure but not reversible. In other words, it is practically infeasible for a password to be derived from the hash, and no one can directly use the hash to authenticate. We use a technique called salting to further protect these hashes.
What do I do if my password is being reset by Slack?
All active accounts requiring a password reset are being notified directly with instructions. For information on password resets at any time, please visit our Help Centre: https://get.slack.help/hc/en-us/articles/201909068
How can I review access to my account?
Each user can review the personal access logs for their account or download a complete CSV export at any time by visiting https://my.slack.com/account/logs. Owners and administrators on all paid subscriptions can learn more about viewing the access logs for their workspace in our Help Centre: https://get.slack.help/hc/en-us/articles/360002084807-View-Access-Logs-for-your-workspace
Who can I reach if I have additional questions?
If you have any questions that aren’t answered here, please contact us at firstname.lastname@example.org.
What steps can I take to further secure my account?
We recommend that all users use two-factor authentication, ensure that their computer software and antivirus software are up to date, create new, unique passwords for every service that they use and use a password manager.