Slack stated it took the step of resetting passwords for about 0.5% of its customers after a flaw uncovered salted password hashes when creating or revoking shared invitation hyperlinks for workspaces.
“When a consumer carried out both of those actions, Slack transmitted a hashed model of their password to different workspace members,” the enterprise communication and collaboration platform stated in an alert on 4th August.
Hashing refers to a cryptographic method that transforms any type of information right into a fixed-size output (known as a hash worth or just hash). Salting is designed so as to add an additional safety layer to the hashing course of to make it immune to brute-force makes an attempt.
The Salesforce-owned firm, which reported greater than 12 million every day energetic customers in September 2019, did not reveal the precise hashing algorithm used to safeguard the passwords.
The bug is claimed to have impacted all customers who created or revoked shared invitation hyperlinks between 17 April 2017 and 17 July 2022, when it was alerted to the problem by an unnamed impartial safety researcher.
It is value stating that the hashed passwords weren’t seen to any Slack shoppers, that means entry to the data necessitated energetic monitoring of the encrypted community visitors originating from Slack’s servers.
“We’ve got no cause to consider that anybody was in a position to get hold of plaintext passwords due to this problem,” Slack famous within the advisory. “Nevertheless, for the sake of warning, now we have reset affected customers’ Slack passwords.”
Moreover, the corporate is utilizing the incident to advise its customers to activate two-factor authentication as a method to guard towards account takeover makes an attempt and create distinctive passwords for on-line providers.
