Well, this is unfortunate. Slack is requiring some Android users to reset their passwords as soon as possible. A recent update the company released introduced a bug that stored passwords in plain text, which is very bad. The company says it doesn’t have any evidence of compromised credentials, but it’s emailing anyone affected to make them change passwords.
As first spotted by Android Police, the company is emailing users affected by the bug and even including a link directly to update passwords. That’s an odd choice, as typically, you shouldn’t trust an email that includes a link to change your login details. But the emails are legitimate. Here’s the text of the message:
Slack is requiring a password reset for the [redacted] account on [redacted]. We are taking this step as a precaution due to an error that we discovered, and there is no evidence of any unauthorized or third party access to this account. Maintaining the security of your team and the privacy of your communications is important to us. We apologize for the disruption.
On December 21st, 2020, Slack introduced a bug that caused some versions of our Android app to log clear text user credentials to their device. Slack identified the issue on January 20th, 2021 and fixed it on January 21st, 2021. A fixed version of the Android app is available and we have blocked usage of the impacted version(s).
To set your new password immediately, please use the following link: [redacted]
Selecting a complex and unique password is strongly recommended, and is vital to protecting the integrity of your account. We suggest the use of a password manager to help you keep track of your passwords for every service you use.
Finally, you can manually delete the logs from your device. Be advised this action will also log you out of all Slack workspaces of which you are a member. We have already invalidated the logged password, but if you have reused this Slack password to log in to other websites, this is highly recommended.
You can do this with these instructions on your Android device:
From your home screen, go to the Settings app
Scroll down and select Apps
Navigate to and select Slack
Click Clear data on the left side of the screen
Click OK to confirm that you wish to clear data
Log into Slack using your new password
We very much regret any inconvenience we have caused. If you have additional questions, you can reply directly to this notification — our support team is standing by and ready to help.
The team at Slack
Slack says the bug only hit a small subset of Android users, if you don’t get an email from the company, you might not need to change your password. Then again, better safe than sorry, especially if you reuse passwords. And if you do reuse passwords, stop that. Get a password manager and set a unique complicated password for every service and site that calls for one.
If you’re like us and don’t trust links in an email asking for a password change, you can bypass that and go straight to Slack’s site (Google it if you don’t trust our link either). Just login with your credentials, then change your password manually.
Storing passwords in plain text is a pretty bad security lapse, but Slack is far from the first (or last) company to make that mistake. Thankfully, it’s proactively contacting users, though we’d recommend a post at the company’s blog to reassure us all the email is real.
via Android Police