Office communication platform Slack has admitted to accidentally exposing the hashed passwords of some users.
According to Wired, the vulnerability which exposed cryptographically scrambled versions of some users’ passwords goes back five years, between April 17, 2017 and July 17, 2022 and impacted anyone who created or revoked a shared invite link.
The workspace application began sending password reset links to affected users on August 4, a few days after an independent security researchers disclosed the vulnerability to Slack on July 17. Slack said the flaw impacted about 0.5 percent of its users, which could mean approximately 50,000 users, as the company said it had over 10 million daily active users in 2019.
Sharon Nachshony, Security Researcher at Silverfort, explains, “Hashes of salted passwords being leaked is not as dangerous as exposing them in plain-text, as an attacker would have to use brute-force methods — essentially automating a script to guess passwords — which takes some time.”
While this makes exploitation less likely, Nachshony says “a threat actor may still be motivated to do this because Slack is used by so many companies. Incidents like these are once again a clear argument for users to enable MFA. If implemented correctly, this would alert the legitimate user to any authentication attempt on their behalf, denying any malicious access attempt.”
To read the full article in Security Magazine, click here.