Security News > 2022 > August > Slack resets passwords after exposing hashes in invitation links
Slack notified roughly 0.5% of its users that it reset their passwords after fixing a bug exposing salted password hashes when creating or revoking shared invitation links for workspaces.
Luckily, the hashed passwords were not visible to Slack clients, with active monitoring of encrypted network traffic from Slack's servers required to access this exposed information, according to Slack.
"However, for the sake of caution, we have reset affected users' Slack passwords. They will need to set a new Slack password before they can log in again."
It's also important to mention that, although hashes cannot be used for authentication and it's unfeasible to try to reverse them, Slack added in security notices sent to affected users that hashes could still be reversed via brute force.
"Hashed passwords are secure, but not perfect - they are still subject to being reversed via brute force - which is why we've chosen to reset the passwords of everyone affected," Slack warned.
BleepingComputer reached out to Slack for more info on the hashing algorithm used to generate the password hashes but did not receive a reply before this article was published.