Slack Leaked User Passwords For 5 Years

Did you or any of your colleagues who use the messaging platform Slack receive a password reset notification last week?

If you did, the reason is due to Slack’s recent announcement that they accidentally exposed the passwords of users over a five-year period between April 2017 and June 2022.

The password exposure happened due to a glitch that sent hashed passwords to a user’s workspace whenever a user created or revoked a shared invitation link.  According to the Slack press release:

“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members. This hashed password was not visible to any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers. This bug was discovered by an independent security researcher and disclosed to us on 17 July 2022. It affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.”

Slack did state they believe less than one percent of users were affected, but that small percentage amounts to nearly 50,000 users based off their daily active user count of around ten million.

What is a Hashed Password?

What separates this leak from others is that only hashed passwords were leaked, so no plain text passwords were exposed. The exposed passwords were in a format known as a hashed password, which is a cryptographic technique to store data more securely—but can be reverse engineered with enough effort from a threat actor.

The consensus from security professionals is that the time it would take to use a brute-force attack to automate the reverse engineering of the hashed passwords are usually not worth the investment, but a bounty as big as 50,000 potential passwords from a pool of one of the largest tools in business may just be worth the time investment for attackers.

So far, there are no reports of additional security issues or concerns associated with this incident.

Should You Be Concerned if You Were Part of the Slack Password Leak?

To an extent, you should feel better about this leak than the standard ones where your entire password is exposed in plain text. In addition to the mandatory password reset, Slack enforces multi-factor authentication security (MFA), so if your password was used to log in to your Slack account with a stolen password, you can stop the attack by denying the MFA request.

Remember, MFA is one of the better security features most accounts offer and provides an additional layer of security when passwords are leaked.

Regardless, despite the comfort of knowing that “only” hashed passwords were leaked, the fact it took five years and a third party to alert Slack to the glitch, is understandably concerning.

You can read more about the Slack password leak and updates on the Slack website at https://slack.com/intl/en-gb/blog/news/notice-about-slack-password-resets.

Also, be wary of any imposter emails trying to take advantage of the situation with fraudelent communications that may include malicious links or requests for private information. 

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

To learn more, visit our dedicated Cybersecurity page or contact the team at [email protected]. 

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.