Slack developers have sent emails to some Android users saying they erroneously logged the passwords of Android users in plain text for a period of time. Emails have been sent to affected users containing a link to perform a password reset. Android Police noted that the email might look like a phishing attempt to some people, but it’s legitimate.
“It's safe to click, or you can navigate to Slack's site directly yourself, sign in there, and reset your password manually,” the site reported.
Slack said the logging “bug” took effect on December 21, 2020, but it apparently wasn’t caught and fixed until January 21, 2021. Over the course of those 31 days, Slack for Android may have logged users’ passwords in an unencrypted format.
Slack said the issue only impacted a small subset of Android users. However, anyone who uses Slack for Android on a regular basis may want to change their password even if they didn’t receive an email saying they should do so.
Wiping logs
In addition to choosing a new “complex and unique password,” affected users are also advised to clear the storage of Slack for Android so that any potentially password-containing logs are wiped from the device.
Slack assured users that it has rolled out “a fixed version” of the Android app. Additionally, it has “blocked usage of the impacted version(s).”
“We very much regret any inconvenience we have caused,” Slack said in the email.