#Fail : Slack Exposes Hashed Passwords

If you’re a Slack user, you might have received a request to change your password in the last day or two. I’m here to tell you that this email isn’t a phishing attempt. It’s actually real and you should pay attention to it.

Here’s why.

Slack has admitted to accidentally exposing the hashed passwords of at least 50,000 users, roughly .5% of total Slack users. The workspace application began sending password reset links to affected users last week. While the passwords were not in plaintext and were not visible to any Slack clients, it appears that this issue has been going since 2017.


Sharon Nachshony, Security Researcher, Silverfort had this to say:

     “Hashes of salted passwords being leaked is not as dangerous as exposing them in plain-text, as an attacker would have to use brute-force methods – essentially automating a script to guess passwords – which takes some time.

While this makes exploitation less likely, a threat actor may still be motivated to do this because Slack is used by so many companies. Incidents like these are once again a clear argument for users to enable MFA. If implemented correctly, this would alert the legitimate user to any authentication attempt on their behalf, denying any malicious access attempt.”

MFA (Multi Factor Authentication) or even the new hot technology which is passwordless authentication is the way to go to reduce your attack surface. Companies should look at technologies like these to avoid being pwned because of a password exploit.

Leave a Reply

%d bloggers like this: