Slack acknowledges it exposed hashed passwords for years


Slack acknowledges it exposed hashed passwords for years

On Friday, Slack announced that one of its systems had been compromised but now has been fixed. The issue occurred in 2017 when a user revoked a link known as the "shared invite link". The command also unintentionally sent the link creator's hashed password to other users of that workspace, which they could use to sign up for a specific Slack workspace. This issue occurred due to a bug in the system. Anyone who created or deleted a shared invite link between April 17, 2017, and July 17, 2022, had their password affected by the bug.

The company alerted the impacted users on Thursday and mandated password resets for all of them, even though it's doubtful that any passwords' actual contents were leaked due to the problem. On July 17, 2022, a security researcher informed Slack of the problem. The company claims that the lost passwords were invisible throughout Slack and could only have been discovered by someone actively keeping an eye on relevant, encrypted network traffic from Slack's servers.

In a statement released by Slack, the company said they took immediate steps to remedy the situation and updated their users about the mishap. They took timely action as soon as the bug was discovered on July 17, 2022. It has also changed and reset the passwords for all the impacted customers.

The director of Cyber-threat intelligence at Scythe , Jake Williams, said that it was unfortunate that they face bug issues in 2022 as well. This is a threat and a result of a failed threat modelling system. He added that even though applications like Slack regularly perform security testing, the issue arises during the edge case functionality. However, the stakes are always high regarding passwords, which are susceptible to data.

Slack estimated that 0.5 per cent of its users were affected by the problem. The company reported having more than 10 million daily active users in 2019, which translates to about 50,000 notifications. The corporation may have almost doubled that number of users by this point. As a result, some users whose passwords were compromised over five years might no longer be Slack users.

The circumstance highlights the difficulty in creating adaptable and accessible web applications that also restrict access to valuable data like passwords. You should change your password if you received a notification from Slack, and make sure two-factor authentication is enabled. The user will have access to their account's access logs.

About Slack

Slack is a messaging app created mainly for businesses but is now widely used by individuals. Slack, a platform designed by American software company Slack Technologies, has been acquired by Salesforce . It provides several IRC-like features, such as private groups, direct messaging, and topic-organized persistent chat rooms (channels). Furthermore, Slack interfaces with other programmes and offers various online communication services in addition to its other services. The company is headquartered in San Francisco, United States, and was established in 2013.

Profile picture for user
Peter Daniels
Peter Daniels is the lead journalist for

The business app store.
All the best web apps you need for your business. Curated and compared.
1,000+ Apps for every business category you can imagine. We independently review and compare software applications to find you the best ones for you what you need.
To accomplish your goals, you need the right tools.

interview news apps


Call tracking and marketing analytics platform


Mobile ecommerce store builder


No-code Conversational Workspace


Advanced file encryption platform


Online Appointment Scheduling Software


Complete planning platform with an excel interface

Udemy Business

Learning Management for teams


Standout video maker


Marketing Automation and Email Platform


Learning Management courses


Enterprise app and workflow building solution


Speech Recognition in Real Time