Hashed data exposure via WebSockets to Workspace Members

When users created or revoked a Shared Invite Link for their workspace, Slack transmitted a hashed version of their password to other workspace members. This hashed password was not visible in any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers. We immediately fixed the underlying bug and released an update the same day. While we have no reason to believe that anyone was able to obtain plaintext passwords because of this issue, we reset affected users’ Slack passwords and notified customers about the issue. See Slack’s blog post from August 2022 for additional details https://slack.com/intl/en-in/blog/news/notice-about-slack-password-resets