Emails sent to a number of Slack users about their account password being reset are genuine, with the work communications app's developers doing so after the discovery of a security-related bug in the tool.
Some Slack users were greeted on Monday by a notification that their account password was reset. While normally such emails are used for phishing attempts by online criminals, this time it's a legitimate communication from Slack itself.
Explained in a blog post, Slack notified approximately 0.5% of its user base that the company had reset passwords on August 4, responding to a bug. The passwords were reset "for the sake of caution," and required users to set a new password for the account.
The reason for the reset is due to a bug discovered by a security researcher, disclosed to Slack on July 17. When users created or revoked a shared invitation link for their workspace, Slack sent a hashed version of the user's password to other workspace users.
Slack is confident that no users were negatively affected by the bug, as the hashed password wasn't visible in the Slack client itself, and required active monitoring of encrypted network traffic to pick up. Slack also doesn't believe that anyone was able to get plaintext passwords due to the issue, but reset the relevant passwords as a precautionary measure.
According to Slack, all users who created or revoked the shared invitation link between April 17, 2017 and July 17, 2022 were potentially affected.
Slack advises that concerned users can check out personal access logs for their account to review access, and to set up two-factor authentication as well as the use of a password manager capable of creating unique per-service passwords.
