- Slack has had a misconfiguration on the Android app, causing user passwords to be logged in cleartext.
- The problem affects a small subset of users who were notified via email on what to do.
- Slack has kept this semi-public, creating a false phishing sense around the notifications.
Slack is sending warning messages to a small subset of its users, informing them that they urgently need to reset their passwords. As explained in the message, the reason is that the platform has mistakenly stored the passwords of this particular subset in plaintext form.
There’s no evidence that any unauthorized individuals accessed Slack’s database and, by extension, these passwords. Still, out of precaution, they will have to be reset since they are considered potentially compromised.
As the notice further explains, the error was introduced on December 21, 2020, when some versions of the Slack app for Android begun to log clear text user credentials on the device. The error was discovered a full month later, on January 20, 2021, and got fixed the next day.
Thus, if you have updated your Slack app after that date, it means that the credentials are now handled securely. However, your passwords may have been leaked in the meantime.
This is not very likely, but it’s good to see that Slack is handling this with an abundance of precaution, automatically treating these passwords as compromised instead of burying the issue. However, sending out such messages should be accompanied by a relevant notice on the blog or social media.
We understand that Slack wouldn’t want to draw more attention to this than it deserves or to cause the entire community to panic. Still, these messages are “phishy,” and when they’re not backed by a statement on any of the other official channels of the app, many recipients may disregard them as such.
Besides the password reset, users are also advised to delete the cleartext logs from their Android devices. To do this, go to Settings → Apps & notification → Slack, choose ‘Storage & cache,’ and click on the ‘Clear Storage’ and 'Clear Cache' options. That should do it.