Stored in plain text on the device: Slack wants some users to reset their password
There was a glitch with Slack - for a month some users had logged the passwords in clear text on their own device. Some Android users are affected and are now being asked to change their password. So it is not a phishing email.
Got an email from Slack too? Time and again, so-called “phishing emails” are on the way to pick up passwords. This time around, you'd think it would be with Slack. But it is not: As of today, Slack is asking some Android users to reset their passwords by email.
Reset Slack Password: Users & Workspace Admins receive email
Under the subject "[Security update]: Your Slack account’ or ‘[Security Update]: Your Slack Account’, the company is currently sending emails to users personally. Unfortunately, they did not do so well and do not address the user personally by name, which is usually the first indicator of a phishing email. Not only the users themselves, but also the workspace administrators received an email. Depending on the language set in Slack, it is either written in German, English or another language. The administrator sees which users this Proproblem.
After receiving this e-mail, we recommend that you immediately reset your password using the link provided. The workspace administrator may be forcing you to do this anyway and you can no longer log in with the current password. Companies using SSO login are not affected. Even if the password was only made "public" on one's own device, other apps and the system could have accessed these logs. As a result, it shouldn't either Probe more difficult to read out the password. Alternatively, a user can always reset their password at the following link: [workspace].slack.com/account/settings#password
This is the email that Slack users receive
The full email to users is as follows:
Hallo,
Slack wants the password for the [your username] account on [workspace].slack.com to be reset. This is a precautionary measure due to a bug we discovered. There are no indications that unauthorized persons or third parties had access to this account. We take the security of yours Projekt team and the protection of your communication data very seriously. We would like to apologize for any inconvenience.
On December 21, 2020, Slack encountered a bug that caused some versions of our Android app to store user credentials in plain text on their devices prowere tocolted. Slack has that ProProblem identified on January 20, 2021 and fixed on January 21, 2021. A cleaned version of the Android app is available and we have stopped using the affected version(s).
If you'd like to set a new password immediately, click the link below:
We strongly recommend creating a difficult and unique password. This is the only way to protect the integrity of your account. It's best to use a password manager. So you always know which password you have chosen for each of your services.
Finally you can Prodelete logs manually from your device. Please note that this action will also log you out of any Slack workspaces you are a member of. We have that proTokenized password already invalidated. However, if you also use it to log in to other websites, we strongly recommend performing this action.
On your Android device, you can do this with the help of the following instructions:
- Open the app on your home page Settings
- Scroll down and select Apps from
- Find and choose Slack from
- Choose memory from
- Click on the left delete data
- Click on OKto confirm that you want to delete the data
- Sign in to Slack with your new password
We are very sorry for the inconvenience caused. If you have any further questions, just reply to this notification. Our support team is always there for you.
With kind regards,
Your Slack team
We cannot say ourselves whether users who have not received a notification are really not affected by it. It's best to use one anyway Password manager and still resets his Slack password to be on the safe side. As a further measure, you should always use two-factor authentication. Then the password alone is of no use to a possible hacker. This is how you play it safe.