Slack stated it took the step of resetting passwords for about 0.5% of its customers after a flaw uncovered salted password hashes when creating or revoking shared invitation hyperlinks for workspaces.
“When a consumer carried out both of those actions, Slack transmitted a hashed model of their password to different workspace members,” the enterprise communication and collaboration platform stated in an alert on 4th August.
Hashing refers to a cryptographic method that transforms any type of knowledge right into a fixed-size output (referred to as a hash worth or just hash). Salting is designed so as to add an additional safety layer to the hashing course of to make it proof against brute-force makes an attempt.
The bug is claimed to have impacted all customers who created or revoked shared invitation hyperlinks between 17 April 2017 and 17 July 2022, when it was alerted to the difficulty by an unnamed impartial safety researcher.
It is price declaring that the hashed passwords weren’t seen to any Slack shoppers, which means entry to the data necessitated energetic monitoring of the encrypted community site visitors originating from Slack’s servers.
“We’ve no motive to consider that anybody was in a position to get hold of plaintext passwords due to this problem,” Slack famous within the advisory. “Nevertheless, for the sake of warning, we’ve got reset affected customers’ Slack passwords.”
Moreover, the corporate is utilizing the incident to advise its customers to activate two-factor authentication as a way to guard in opposition to account takeover makes an attempt and create distinctive passwords for on-line companies.