But the company said on Friday that one of its low-friction features contained a vulnerability, now fixed, that exposed cryptographically scrambled versions of some users' passwords. When users created or revoked a link—known as a “shared invite link”—that others could use to sign up for a given Slack workspace, the command also inadvertently transmitted the link creator's hashed password to other members of that workspace. Slack, which is now owned by Salesforce, says a security researcher disclosed the bug to the company on July 17, 2022. Some users who had passwords exposed throughout the five years may not still be Slack users today. If you received a notification from Slack, change your password, and make sure you have two-factor authentication turned on.

Source: New York Times August 06, 2022 04:37 UTC