If you just received an email from Slack explaining that you need to reset your password with a large, phishing-looking link, it’s legitimate. The company’s Android app was accidentally registering credentials in plain text, and affected customers are being notified via email to reset their passwords. We contacted Slack three times to be sure, and the company representatives told us that this is not a scam, they are sending these emails themselves.
These emails above and below are legitimate; you are not being phishing.
Again, this is not a phishing scam or anything like that, although it may seem like one at first. As we chat, emails are being sent to Slack customers and we’re not sure if everyone will receive one. Slack tells us that it affected only a small subset of Android users, who are being notified as of this afternoon.
Included in the email is a link to reset your password. It’s safe to click, or you can navigate directly to the Slack website yourself, log in there and reset your password manually, if you want to be extra careful – although, again, it’s not really required. Just make sure your new password is valid.
Affected customers are also asked to clear data from their Android apps to get rid of these logs, which are still hanging on their phone’s storage, storing their login credentials in plain text. There are several ways to do this. Slack instructs customers to go to Settings -> Applications -> Slack -> Storage -> Clear data or storage. If that doesn’t work, you can try to hold down the Slack app or its icon in the multitasking menu and tap Application info -> Storage -> Clear data or storage or search for the app in Settings. Note that you will need to sign in again after doing this.
If you used your Slack password on any other website, be sure to reset it there as well. If you save your passwords with Google, a good way to verify is with Chrome’s built-in password verification tool, accessible from Settings -> Autofill -> Passwords to see if the ones it lists for Slack have been used on another place.
The version of the Android application responsible for this problem has been blocked and there is no reason to worry about updating it: if your version still works, it is a good one. But you can download the latest version from the Play Store if you want to be sure.
The full text of the email is below:
Hello,
Slack is requiring a password reset for the [redacted] linked account [redacted]. We are taking this as a precaution due to an error we discovered and there is no evidence of any unauthorized or third party access to this account. Maintaining the security of your staff and the privacy of your communications is important to us. We apologize for the interruption.
On December 21, 2020, Slack introduced a bug that caused some versions of our Android app to register user credentials in clear text on their devices. Slack identified the problem on January 20, 2021 and fixed it on January 21, 2021. A corrected version of the Android application is available and we block the use of the affected versions.
To set your new password immediately, use the following link: [redacted]
The selection of a complex and unique password is highly recommended and is vital to protect the integrity of your account. We suggest using a password manager to help you control your passwords for all services you use.
Finally, you can manually delete records from your device. Be warned that this action will also disconnect you from all Slack workspaces of which you are a member. We have already invalidated the registered password, but if you reused the Slack password to enter other sites, this is highly recommended.
You can do this with these instructions on your Android device:
On the home screen, go to the Settings app
Scroll down and select Apps
Scroll and select Slack
Select storage
Click Clear data on the left side of the screen
Click OK to confirm that you want to clear the data
Log into Slack using your new password
We are very sorry for any inconvenience we have caused. If you have any other questions, you can respond directly to this notification – our support team is ready to help.
Regards,
The Slack team