It’s not the worst-case scenario, but the exposing of cryptographically scrambled passwords isn’t great either.
Slack is a popular medium for business communications since it’s simple and intuitive to use. However, the business said on Friday that one of its low-friction features had a flaw, which has since been rectified, that allowed some customers’ passwords to be cryptographically scrambled to be exposed.
The command also unintentionally sent the link creator’s hashed password to other users of that workspace whenever users created or revoked a link—known as a “shared invite link”—that other users may use to sign up for a specific Slack workspace. Anyone who created or deleted a shared invite link between April 17, 2017, and July 17, 2022, had their password affected by the bug.
Salesforce currently owns Slack, which claims that a security researcher informed them of the flaw on July 17, 2022. The business claims that the misplaced passwords were invisible throughout Slack and could only have been discovered by someone actively keeping an eye on pertinent, encrypted network traffic coming from Slack’s servers. The company alerted impacted users on Thursday and mandated password resets for all of them, despite the fact that it’s doubtful that any passwords’ actual contents were leaked as a result of the problem.
Slack estimated that 0.5 percent of its users were affected by the problem. The company reported having more than 10 million daily active users in 2019, which translates to about 50,000 notifications. The corporation may have almost doubled that number of users by this point. Some users whose passwords were compromised over the course of five years might no longer be Slack users.
On July 17, 2022, the firm announced in a statement, “We immediately took efforts to build a patch and provided an update the same day the fault was detected.” “Slack has notified all affected customers, and affected users’ passwords have been reset.”
Slack estimated that 0.5 percent of its users were affected by the problem. The company reported having more than 10 million daily active users in 2019, which translates to about 50,000 notifications. The corporation may have almost doubled that number of users by this point. Some users whose passwords were compromised over the course of five years might no longer be Slack users.
On July 17, 2022, the firm announced in a statement, “We immediately took efforts to build a patch and provided an update the same day the fault was detected.” “Slack has notified all affected customers, and affected users’ passwords have been reset.”
The circumstance highlights the difficulty in creating adaptable and accessible web applications that also silo and restrict access to valuable data like passwords. Change your password if you received a notification from Slack, and make sure two-factor authentication is enabled. Additionally, you have access to your account’s access logs.
