diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1db7d5bb2b..5e7ac924e1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ The following sections list the changes for unreleased.
 
 * Bugfix - CSP rules for silent token refresh in iframe: [#4031](https://github.com/owncloud/ocis/pull/4031)
 * Bugfix - Remove unused configuration options: [#3973](https://github.com/owncloud/ocis/pull/3973)
+* Bugfix - Store user passwords hashed in idm: [#3778](https://github.com/owncloud/ocis/issues/3778)
 * Enhancement - Add capability for alias links: [#3983](https://github.com/owncloud/ocis/issues/3983)
 * Enhancement - Refactor extensions to services: [#3980](https://github.com/owncloud/ocis/pull/3980)
 
@@ -35,6 +36,15 @@ The following sections list the changes for unreleased.
 
    https://github.com/owncloud/ocis/pull/3973
 
+* Bugfix - Store user passwords hashed in idm: [#3778](https://github.com/owncloud/ocis/issues/3778)
+
+   Support for hashing user passwords was added to libregraph/idm. The graph API will now set
+   userpasswords using the LDAP Modify Extended Operation (RFC3062). In the default
+   configuration passwords will be hashed using the argon2id algorithm.
+
+   https://github.com/owncloud/ocis/issues/3778
+   https://github.com/owncloud/ocis/pull/4053
+
 * Enhancement - Add capability for alias links: [#3983](https://github.com/owncloud/ocis/issues/3983)
 
    For better UX clients need a way to discover if alias links are supported by the server. We added a