Slack resets user logins as bug leaked hashed passwords for years

9 Aug 2022

Image: © PhotoGranary/

The bug was active since 2017, but Slack said only 0.5pc of its users were affected and no plaintext passwords were exposed.

Slack has reset the passwords of a small percentage of its users after finding a bug that exposed hashed passwords when a user created or revoked a shared invitation link.

This feature allows users to create a link that will let anyone to join their Slack workspace, and is an alternative to inviting people one by one.

The messaging platform said that when a user performed either of these actions, a hashed version of their password was shared to other workspace members. Hashing is an encryption technique that turns a regular password into a series of random numbers and letters.

Slack said the bug was discovered by an independent researcher and affected users who created or revoked invitation links between 17 April 2017 and 17 July 2022.

The Salesforce-owned company said it immediately fixed the bug and began investigating the potential impact to its customer base.

Despite the large period of time this bug was active, Slack said it only impacted 0.5pc of its total user base.

“We have no reason to believe that anyone was able to obtain your plaintext password because of this vulnerability,” Slack said in an email to affected users. “However, for the sake of caution, we have reset your Slack password.“

Slack said the exposed hashed passwords were also protected through a technique called ‘salting’, which adds random data before a password is hashed. The company described salted and hashed passwords as “secure, but not perfect” as they can still be reversed by hackers.

In the email, Slack recommended that the affected users create a “complex and unique password” to replace the one that was reset. The company also mentioned two-factor authentication for an extra layer of security.

“We know that the security of your data is important,” Slack said. “We deeply regret this issue and its impact on you.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic