Slack Leaked User Passwords For 5 Years

Did you or any of your colleagues who use the messaging platform Slack receive a password reset notification last week?

If you did, the reason is due to Slack’s recent announcement that they accidentally exposed the passwords of users over a five-year period between April 2017 and June 2022.

The password exposure happened due to a glitch that sent hashed passwords to a user’s workspace whenever a user created or revoked a shared invitation link.  According to the Slack press release:

“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members. This hashed password was not visible to any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers. This bug was discovered by an independent security researcher and disclosed to us on 17 July 2022. It affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.”

Slack did state they believe less than one percent of users were affected, but that small percentage amounts to nearly 50,000 users based off their daily active user count of around ten million.

What is a Hashed Password?

What separates this leak from others is that only hashed passwords were leaked, so no plain text passwords were exposed. The exposed passwords were in a format known as a hashed password, which is a cryptographic technique to store data more securely—but can be reverse engineered with enough effort from a threat actor.

The consensus from security professionals is that the time it would take to use a brute-force attack to automate the reverse engineering of the hashed passwords are usually not worth the investment, but a bounty as big as 50,000 potential passwords from a pool of one of the largest tools in business may just be worth the time investment for attackers.

So far, there are no reports of additional security issues or concerns associated with this incident.

Should You Be Concerned if You Were Part of the Slack Password Leak?

To an extent, you should feel better about this leak than the standard ones where your entire password is exposed in plain text. In addition to the mandatory password reset, Slack enforces multi-factor authentication security (MFA), so if your password was used to log in to your Slack account with a stolen password, you can stop the attack by denying the MFA request.

Remember, MFA is one of the better security features most accounts offer and provides an additional layer of security when passwords are leaked.

Regardless, despite the comfort of knowing that “only” hashed passwords were leaked, the fact it took five years and a third party to alert Slack to the glitch, is understandably concerning.

You can read more about the Slack password leak and updates on the Slack website at https://slack.com/intl/en-gb/blog/news/notice-about-slack-password-resets.

Also, be wary of any imposter emails trying to take advantage of the situation with fraudelent communications that may include malicious links or requests for private information. 

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

To learn more, visit our dedicated Cybersecurity page or contact the team at [email protected]

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
SEC Charges SolarWinds and CISO Timothy Brown For Misleading Investors
Think Before You Click: Fake Browser Updates are Back in Style
Protect Your Manufacturers: 3 Common Cyber Attack Methods to Watch Out for in 2023
Protect Your Students, Faculty and Staff: 3 Common Cyber Attack Methods to Watch Out for in 2023
Protect Your Retail Business: 3 Common Cyber Attack Methods to Watch Out for in 2023
Cybersecurity in the Construction Industry
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×