Slack encourages some Android users to change their passwords after its app has saved passwords in clear text for a month.
Some Slack users have received an at first glance questionable email asking them to reset their password. Although this message is akin to phishing, it is indeed sent by the courier company due to a security breach.
A fault neutralized
In this email, the company explains that the Android version of its application released on December 21, 2020, mistakenly saved certain passwords in clear – in clear text without encryption – compromising user security. The flaw was closed on January 21, 2021 and the affected version is now unusable.
It then took almost three weeks for Slack to identify affected users to notify them individually. Few accounts seem to have been impacted, especially since many users log in using an SSO connection, like that of Google or their company.
Those affected are also invited to erase the application data on their mobile, thus ensuring that the password is no longer stored on the device.
If you’ve been contacted by Slack, it’s recommended that you change your password on other sites as well, in case you use the same one.