Identity, Vulnerability Management

Slack software flaw prompts forced password resets

Nearly 0.5% of Slack users have been forced by the workplace productivity software provider to perform password resets following the discovery of a security vulnerability that resulted in credential exposure, SecurityWeek reports. Slack has already addressed the flaw, which is believed not to have compromised plaintext passwords and was identified within the platform's Shared Invite Link functionality. However, hashed passwords of selected users have been shared to all workspace users between April 17, 2017, and July 17, 2022, according to Slack. "This hashed password was not visible in any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slacks servers. This bug was discovered by an independent security researcher and disclosed to us on July 17, 2022. Upon receiving the report from the security researcher, we immediately fixed the underlying bug, and then began investigating the potential impact of this issue on our customers. We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue. However, for the sake of caution, we have reset affected users Slack passwords," said Slack, which has also recommended multi-factor authentication adoption for all users.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.