A bug present in Slack’s systems since 2017 that was relaying “hashed” versions of users’ passwords to anyone they sent sign-up links to has finally been fixed.
Although only reportedly affecting 0.5% of Slack’s user base, the issue was significant enough for the business messaging platform to force those users to reset their passwords.
The company – which is now owned by Salesforce – said the enforced action was precautionary as “hashed” passwords (the scrambled versions of plaintext passwords generated during encryption processes) can sometimes be reversed with brute force.
Slack’s Sign-Up Slip-Up
In a post discussing the issue, Slack said that on August 4, a small percentage of Slack users were asked to reset their passwords “in response to a bug that occurred when users created or revoked a shared invitation link for their workspace.”
“When a user performed either of these actions” the post continues, “Slack transmitted a hashed version of their password to other workspace members.”
The affected parties would have carried out such actions between April 17 2017 and July 17 2022, which is a huge range of time in the context of system vulnerabilities.
However, the good news is that the hashed passwords were apparently “not visible to any Slack clients,” and in order to discover it even existed, it required actively monitoring encrypted network traffic from the platform’s servers.
Why Did Slack Force Users to Reset Their Passwords?
Luckily for both Slack and its users, there was no evidence that the vulnerability had been exploited so the hashed passwords could be converted back into plaintext (non-computationally-tagged, ordinarily readable text).
In short, hashes cannot be used for authentication, and reversing the hashing process is either unachievable or nigh-on impossible with most encryption algorithms used to hash passwords.
Slack says that, despite this, some hashed passwords can still be brute forced, and this justified the enforced password resetting. This makes the question: “which hashing algorithm is Slack using?” an interesting one to say the least.
The Importance of Multiple Passwords
Slack has also reminded users of the importance of using unique passwords for every online service they use.
If someone was to get a hold of your Slack password, and it's the one you used for your business Gmail account, for example, a threat actor would suddenly have access to that too. This is often how an individual's whole network of online accounts is compromised quickly.
Remembering hundreds of unique passwords is unfeasible – unless you have a password manager, that is. With password managers, all you need to remember is your master pass key, rather than loads of different passwords, which will be safely secured and stored instead. That way, you'll have a lot less to worry about.