Slack recently informed some of its users that their passwords had been reset, compromised by a security breach.
In early August, around 0.5% of Slack users had their passwords reset after IM discovered a security breach. This proportion may seem relatively low, but is still significant when you know that this company claims more than 10 million daily active users.
A security breach a priori Without gravity
The principle of this flaw was as follows: as soon as a user created or deleted an invitation to join a discussion space, all members of the space in question received an encrypted version of their password.
The flaw, according to Slack, does not seem to have been used for malicious purposes, but it has existed since April 2017. For the American company, it has never been exploited. It must be said that the people concerned only transmitted an encrypted version of their password, and to people they knew in most cases. And above all, no confidential information was displayed in plain text because of this bug.
Moreover, if these passwords were transmitted in theory, the control of the encrypted content operated by the messaging platform actually concealed them from other users. It was therefore necessary to take the step of seeking information. However, while it is very difficult to recover a password from its encrypted version, it is not totally impossible, so it was time to act.
Slack teams reacted
The security flaw was initially discovered by an independent computer security researcher, who submitted his data to Slack on July 17. The problem was almost immediately corrected, and the people affected were notified by the first week of August.
As previously explained, the flaw was not extremely serious, but the messaging platform still took it very seriously and warned anyone whose password had been partially exposed that they should reset it. Before being able to reconnect, they had to create a new one. If you have not received this notification, but are concerned that you are one of the compromised accounts, it is possible to verify it by clicking on this link.
Moreover, like most services of this type, it is recommended that users use double identification for greater security.
Sources: Bleeping Computer, The Register
0