Slack, an internal messaging and communication application for organizations/businesses, is vulnerable to a security vulnerability that exposes user credentials.
The vulnerability was detected in Slack’s “Shared Invite Link” component. The “Shared Invite Link” functionality allows workspace administrators to create links to include other participants in the workspace. With this feature, the personnel of the institution/organization are invited to become workspace members via e-mail. The detected security vulnerability causes the hash values of Slack passwords to be transmitted to other workspace members when a user creates an invitation link. These password hashes do not appear in any Slack client. Accessing password hashes requires active monitoring of encrypted network traffic from Slack’s servers.
The vulnerability affects all users who created or canceled an invite link between April 17, 2017, and July 17, 2022. Slack officials have announced that as a precaution against the potential risk of a data breach, affected users have reset their Slack passwords. Slack users must set a new Slack password to log in again.
In this context, it is recommended to create new passwords by applying strong and unique policies, to enable MFA/2FA authentication controls on all possible platforms as a precaution against similar security vulnerabilities that may cause data breaches, and to ensure that the applications/programs and systems being used are always up to date.