Hi hn, today I received an email from Slack explaining an issue with one of the invitation links I created to invite others to my workspace, which apparently included my hashed password, I'm pasting the text I received.<p>When you're connected to Slack, we keep your client updated using a websocket. When you have Slack open, the websocket is an always-open stream of behind-the-scenes information, specific to just you and your account, that we use to push new information to your Slack client. When a new message is posted, a new file is uploaded, a new emoji reaction is added, or a new teammate joins, all of this information is sent to you over a websocket. The raw data streamed from Slack's servers over the websocket is processed by the Slack client apps, but is not directly visible to users.<p>One of the hidden events we send over the websocket is a notice that a shared invite link was created or revoked. The bug we discovered was in this invite link event along with the information about the shared invite link, the hashed password of the user who created or revoked the link was also included. This information was sent over the websocket to all users of the workspace who were currently connected to Slack. The hash of a password is not the same as the password itself; it is a cryptographic technique to store data in a way that is secure, and cannot be used to log in as you. We use a technique called salting to further protect these hashes. Hashed and salted passwords are secure, but not perfect — they are still subject to being reversed via brute force — which is why we've chosen to reset the passwords of everyone affected.