It's easy to use the office communication platform, slack. The company said on Friday that one of its low-friction features had a vulnerability and that it had fixed it.
The command inadvertently transmitted the link creator's password to other members of the workspace when they revoked the link. The flaw affected the password of anyone who made or scrubbed a shared invite link over the course of five years.
The security researcher disclosed the bug to the company in July of 2022. The company notes that the passwords were not visible to the public and could only have been found by someone monitoring the network traffic from the server. Though the company says it's unlikely that the actual content of any passwords were compromised, it notified impacted users on Thursday and forced password resets for all of them.
The situation had an impact on about 1% of its users. The company said it had more than 10 million daily active users. The company might have doubled that number of users by now. It's possible that some users who had passwords exposed may not still be using Slack.
The company released an update on the same day the bug was discovered. The passwords for all impacted customers have been reset by slack.
The company did not respond to questions from WIRED about which cipher it used on the passwords or whether the incident has prompted a broader assessment of the company's password management architecture.
Jake Williams is the director of cyber-threat intelligence at the security firm Scythe. It's not uncommon for bugs that only come up in edge case to get missed. The stakes are very high when it comes to passwords.
The challenge of designing flexible and usable web applications that also silo and limit access to high- value data like passwords is underscored by the situation. If you received a notification, you need to change your password and have two-factorAuthentication turned on. You can see access logs for your account as well.