Security News > 2022 > August > Slack admits to leaking hashed passwords for five years
Popular collaboration tool Slack has just owned up to a cybersecurity SNAFU. According to a news bulletin entitled Notice about Slack password resets, the company admitted that it had inadvertently been oversharing personal data "When users created or revoked a shared invitation link for their workspace."
Slack's security advisory doesn't explain the breach very clearly, saying merely that "[t]his hashed password was not visible to any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack's servers.
"Most recipients wouldn't have noticed that the data they received included any hashed password information, because that information, although included in the network packets sent, was never deliberately displayed to them. And because the data was sent over a TLS connection, eavesdroppers wouldn't have been able to sniff it out along the way, because it wouldn't get decrypted until it reached the other end of the connection."
When a company admits it has been careless with its password database by leaking hashes, you might as well assume that yours was affected, even if the company thinks it wasn't.
A password manager helps to pick proper passwords, thus ensuring that your password ends up very, very far down the list of passwords that might get cracked in an incident like this.
Attackers typically can't do a true brute force attack, because there are just too many possible passwords to try out.