- Slack notified users who accessed the chat service on Android between December 21st and January 20th that they should immediately change their account passwords.
- A bug in the app exposed the password in plain sight, and other apps could have accessed it.
- While Slack wasn’t hacked, and the risk might be only theoretical, it’s still a good idea to change the password.
Slack is one of the most popular chat apps for work out there, and that happened well before the novel coronavirus pandemic forced millions of people to work from home. Salesforce’s announcement in early December that it paid $27.7 billion for the app further confirms the importance of Slack in the workplace. But it turns out something else started happening on Slack in mid-December, lasting for about a month. The Android version of the app stored login credentials in plain sight, which is the kind of security risk that could expose your Slack password to any other app on the device. While there’s no indication that anyone abused the bug, which is now fixed, there’s still a theoretical risk that someone could access your Slack data. That’s why you should change your password for Slack immediately. And if you happen to recycle user/password combinations, you should change passwords to all the services that share the same credentials.
It was Android Police that first reported the matter. An email from Slack informed Android users that they needed to change their password, providing a “big, phishy-looking link.” The blog verified with Slack that the email was genuine, and the company confirmed that the email isn’t the scam some might think it is.
Slack explains in the email that the app introduced a bug on December 21st, 2020, “that caused some versions of our Android app to log clear text user credentials to their device.” Slack users on iPhone are unaffected, assuming they haven’t used the Android app until Slack fixed the problem. That happened on January 21st, a day after discovering the problem. Slack removed the previous version of the app, and the one you might be using right now doesn’t suffer from the same bug.
Slack advises users to change their password to something complex and unique and use a password manager to remember — such tools are available for free in Apple Safari, Google Chrome, and Microsoft browsers. Changing the password can be done via the link received in the email or by logging into the app on the desktop and going into your profile’s Account Settings.
Slack also informs users they should manually delete the logs from their devices so that those old login credentials do no remain on the phone’s storage. You’ll have to go to Settings, Apps, Slack, Storage, and then Clear Data or Storage.
It goes without saying that if you haven’t received the Slack email to change your password, the bug has not affected your account. Still, it’s a good idea to change the passwords to your accounts now and then, and that’s also where a password manager comes in handy, as it’ll remember those complex passwords for you.