Slack developers notified about 0.5% of users to force password resets. You will need to change passwords due to a recently fixed bug that exposed salted password hashes when creating or revoking invite links.
The official announcement states that the mentioned bug was discovered and fixed in the Slack Shared Invite Link feature, which allows Slack Workspace owners to create special links. With such a link, anyone can join the conversation, and this feature was created as an alternative to inviting people one at a time.
Links created or revoked by users between April 17, 2017 and July 17, 2022 were found to expose their hashed passwords via web socket to all Slack-connected workspace members.
“Such a hashed password was not visible in any Slack client; detection required active monitoring of encrypted network traffic originating from Slack servers. The bug was discovered by an independent researcher and disclosed on July 17, 2022, Slack engineers explain. “After receiving the researcher’s report, we immediately fixed the underlying problem and then began to study its potential impact on our customers. We have no reason to believe that anyone was able to obtain unencrypted passwords due to this error, however, for security reasons, we have reset passwords for all affected users.”
Slack also reminded that all users are encouraged to use multi-factor authentication, as well as install updates in a timely manner and use up-to-date anti-malware tools.