This is it unfortunate. Slack requires some Android users to reset their passwords as soon as possible. A recent update the company released introduced a bug that saved passwords in plain text, which is very bad. The company says it has no evidence of compromised credentials, but it is emailing everyone involved to have them change passwords.
As first noted by Android Police, the company is emailing users affected by the bug and even adding a link directly to update passwords. That̵
Slack requires a password reset for the [redacted] account [redacted]. We are taking this step as a precautionary measure due to an error we have discovered and there is no evidence of unauthorized or third party access to this account. It is important to us to maintain the security of your team and the privacy of your communications. Our apologies for the malfunction.
On December 21, 2020, Slack introduced a bug that caused some versions of our Android app to log user credentials in plain text on their device. Slack identified the problem on January 20, 2021 and resolved it on January 21, 2021. A fixed version of the Android app is available and we have blocked use of the affected version (s).
Use the following link to set your new password immediately: [redacted]
Selecting a complex and unique password is highly recommended and is essential to protect the integrity of your account. We recommend using a password manager to help you keep track of your passwords for every service you use.
Finally, you can manually delete the logs from your device. Note that this action will also log you out of any Slack workspaces that you are a member of. We have already invalidated the logged password, but if you have reused this Slack password to log in to other websites, it is highly recommended.
You can do this with these instructions on your Android device:
From your home screen, go to the Settings app
Scroll down and select Apps
Navigate to and select Slack
Click Clear data on the left side of the screen
Click OK to confirm that you want to delete data
Log in to Slack with your new password
We regret the inconvenience we have caused. If you have any questions, feel free to respond to this report directly – our support team is here to help.
The Slack team
Slack says the bug affected only a small subset of Android users, if you don’t receive email from the company you may not need to change your password. But again, better safe than sorry, especially if you’re reusing passwords. And if you reuse passwords, stop that. Purchase a password manager and set a uniquely complex password for every service and site that requests it.
If you’re like us and don’t trust links in an email asking for a password change, you can skip that and go straight to Slack’s site (Google it if you don’t trust our link either). Simply log in with your credentials and then manually change your password.
Storing plain text passwords is a pretty bad security flaw, but Slack is far from the first (or last) company to make that mistake. Fortunately, it contacts users proactively, although we recommend a post on the company’s blog to reassure us that all email is genuine.
via Android Police