Slack May Have Been Sending Other People Your Password…for Five Years

The business messaging platform has reset the passwords of accounts belonging to a small proportion of its users.
Aaron Drapkin

A bug present in Slack’s systems since 2017 that was relaying “hashed” versions of users’ passwords to anyone they sent sign-up links to has finally been fixed.

Although only reportedly affecting 0.5% of Slack’s user base, the issue was significant enough for the business messaging platform to force those users to reset their passwords.

The company – which is now owned by Salesforce – said the enforced action was precautionary as “hashed” passwords (the scrambled versions of plaintext passwords generated during encryption processes) can sometimes be reversed with brute force.

Slack’s Sign-Up Slip-Up

In a post discussing the issue, Slack said that on August 4, a small percentage of Slack users were asked to reset their passwords “in response to a bug that occurred when users created or revoked a shared invitation link for their workspace.”

“When a user performed either of these actions” the post continues, “Slack transmitted a hashed version of their password to other workspace members.”

The affected parties would have carried out such actions between April 17 2017 and July 17 2022, which is a huge range of time in the context of system vulnerabilities.

However, the good news is that the hashed passwords were apparently “not visible to any Slack clients,” and in order to discover it even existed, it required actively monitoring encrypted network traffic from the platform’s servers.

Why Did Slack Force Users to Reset Their Passwords?

Luckily for both Slack and its users, there was no evidence that the vulnerability had been exploited so the hashed passwords could be converted back into plaintext (non-computationally-tagged, ordinarily readable text).

In short, hashes cannot be used for authentication, and reversing the hashing process is either unachievable or nigh-on impossible with most encryption algorithms used to hash passwords.

Slack says that, despite this, some hashed passwords can still be brute forced, and this justified the enforced password resetting. This makes the question: “which hashing algorithm is Slack using?” an interesting one to say the least.

The Importance of Multiple Passwords

Slack has also reminded users of the importance of using unique passwords for every online service they use.

If someone was to get a hold of your Slack password, and it's the one you used for your business Gmail account, for example, a threat actor would suddenly have access to that too. This is often how an individual's whole network of online accounts is compromised quickly.

Remembering hundreds of unique passwords is unfeasible – unless you have a password manager, that is. With password managers, all you need to remember is your master pass key, rather than loads of different passwords, which will be safely secured and stored instead. That way, you'll have a lot less to worry about.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals