Usually, when you get an email or text message saying your Slack password has been reset, it’s a phishing attempt. This time around, however, an email encouraging Slack users to do a password reset is legitimate. The team communication service sent out the notice to many Slack users Monday. It’s a response to a security-related bug in the tool.
Some Slack Users Greeted With Notification of Password Reset
According to Slack, roughly half a percent (0.5%) of its user base got the email by Monday morning. The notice advised them their passwords had been reset “for the sake of caution.” Affected users will need to set a new password for their Slack account.
The measure comes because of a security bug identified by a security researcher in mid-July. With this particular bug, hashed (encrypted) versions of a user’s password tagged along, hidden, whenever a user created or revoked a shared invitation link for their workspace.
Slack says the hashed passwords were never visible within the client software itself. Actually exploiting the bug would require active monitoring of encrypted network traffic. Slack doesn’t believe any plaintext passwords got loose to unwanted parties. Nevertheless, the communications service reset the affected user account passwords just to be safe.
For More Than 5 Years, the Bug Went Unnoticed
The bug was around for roughly three months before anybody noticed it. According to Slack, anybody who created or revoked a shared invitation link between April 17, 2017 and July 17, 2022 could have been affected.
When a security researcher first noticed the bug, on July 17, 2022, they notified Slack. To its credit, Slack immediately fixed the bug and began researching its impact. On Aug. 4, Slack began notifying the potentially affected users of the breach and password reset.
To help avoid any potential security issues in the future, Slack recommends all users start using two-factor authentication. They should also make sure their operating system, Slack client software and antivirus software are up-to-date. Finally, Slack recommends creating new, unique passwords for every service they use and use a password manager to help keep track of them all.