Slack says Android users’ passwords were left exposed for a month on its platform

The company says all users should change their passwords

02/11/2021

Sarah D. Young Reporter and Editor

Slack developers have sent emails to some Android users saying they erroneously logged the passwords of Android users in plain text for a period of time. Emails have been sent to affected users containing a link to perform a password reset. Android Police noted that the email might look like a phishing attempt to some people, but it’s legitimate.

“It's safe to click, or you can navigate to Slack's site directly yourself, sign in there, and reset your password manually,” the site reported.

Slack said the logging “bug” took effect on December 21, 2020, but it apparently wasn’t caught and fixed until January 21, 2021. Over the course of those 31 days, Slack for Android may have logged users’ passwords in an unencrypted format.

Slack said the issue only impacted a small subset of Android users. However, anyone who uses Slack for Android on a regular basis may want to change their password even if they didn’t receive an email saying they should do so.

Wiping logs

In addition to choosing a new “complex and unique password,” affected users are also advised to clear the storage of Slack for Android so that any potentially password-containing logs are wiped from the device.

Slack assured users that it has rolled out “a fixed version” of the Android app. Additionally, it has “blocked usage of the impacted version(s).”

“We very much regret any inconvenience we have caused,” Slack said in the email.

Sarah D. Young

Sarah has been writing and editing for ConsumerAffairs since 2015. Her areas of interest include technology and cybersecurity news, retail news, and home and living news. She is a graduate of Virginia Commonwealth University, an interior design enthusiast, and a mother of two.

Read Full Bio

Wiping logs

Get the news you need delivered to you

You’re signed up