If you just got an email from Slack explaining that you need to reset your password with a big, phishy-looking link, it's legit. The company's Android app was accidentally logging credentials in plain text, and affected customers are being notified via email to reset their passwords. We've reached out to Slack to be triply sure, and company representatives tell us that it's not a scam, they're sending these emails themselves.
These emails above and below are legit; you're not being phished.
Again, this isn't a phishing attempt or anything like that, even though it might look like one at a glance. Emails were sent to Slack customers that were affected. Slack tells us this only impacted a small subset of Android users (less than 1%) who are being notified as of this afternoon.
Included in the email is a link to reset your password. It's safe to click, or you can navigate to Slack's site directly yourself, sign in there, and reset your password manually, if you want to be especially careful — though, again, it isn't really necessary. Just make sure your new password is a good one.
Affected customers are also asked to wipe their Android app's data to get rid of those logs, which are still hanging around your phone's storage, storing your login credentials in plain text. There are a handful of ways to do that. Slack instructs customers to go to Settings -> Apps -> Slack -> Storage -> Clear Data or Storage. If that doesn't work, you can try long-pressing the Slack app or its icon in the multitasking menu and tap App Info -> Storage -> Clear Data or Storage, or search for the app in Settings. Note that you'll need to sign back in after doing this.
If you used your Slack password at any other websites, be sure to reset it there, too. If you save your passwords with Google, a good way to check is with Chrome's built-in password checkup tool, accessible in Settings -> Autofill -> Passwords to see if the ones it lists for Slack were used anywhere else.
The version of the Android app responsible for this issue has been blocked from use, so there's no reason to worry about updating it: If your version still works, it's a good one. But you can download the latest version over at the Play Store if you want to be sure.
The full text of the email is just below:
Slack is requiring a password reset for the [redacted] account on [redacted]. We are taking this step as precaution due to an error that we discovered and there is no evidence of any unauthorized or third party access to this account. Maintaining the security of your team and the privacy of your communications is important to us. We apologize for the disruption.
On December 21st, 2020, Slack introduced a bug that caused some versions of our Android app to log clear text user credentials to their device. Slack identified the issue on January 20th, 2021 and fixed it on January 21st, 2021. A fixed version of the Android app is available and we have blocked usage of the impacted version(s).
To set your new password immediately, please use the following link: [redacted]
Selecting a complex and unique password is strongly recommended, and is vital to protecting the integrity of your account. We suggest the use of a password manager to help you keep track of your passwords for every service you use.
Finally, you can manually delete the logs from your device. Be advised this action will also log you out of all Slack workspaces of which you are a member. We have already invalidated the logged password, but if you have reused this Slack password to log into other websites, this is highly recommended.
You can do this with these instructions on your Android device:
From your home screen, go to the Settings app
Scroll down and select Apps
Navigate to and select Slack
Click Clear data on the left side of the screen
Click OK to confirm that you wish to clear data
Log into Slack using your new password
We very much regret any inconvenience we have caused. If you have additional questions, you can reply directly to this notification — our support team is standing by and ready to help.
The team at Slack