If you use Slack on an Android phone, you’ll want to update your password as soon as possible.
The company sent out emails to users telling them they need to update their password as a “precaution.” Further, in the email, Slack explained that it found “no evidence of any unauthorized or third party access” to accounts.
Not everyone received an email from Slack about the issue. However, even those who weren’t contacted may want to change their passwords just to be safe.
Although the email certainly seems like a phishing scam, Android Police confirmed with Slack representatives that it’s legitimate.
In short, the Android version of the Slack app stored users’ sign-in credentials in plain text between December 21st and January 21st. Slack passwords were theoretically visible to any other app on a user’s Android phone during that period.
Changing your Slack password
If you use Slack on Android, there are a few things you should do. First, make sure that you’re running the most up-to-date version of Slack on your device. The easy way is to check for updates on the Play Store, but if you want to be doubly sure, you can long-press on the Slack app in the app drawer, tap ‘App info’ and scroll to the bottom for the version number. At the time of writing, the current version number is ‘21.02.10.0.’
Next, you should change your password. It’s essential to update the app before you do so, however. The Verge points out that if you change the password while using the old Slack app, it will end up stored in plain text and exposed again.
There are a few ways to change your Slack password. The first is to click the link in the email Slack sent out. Only do this if you trust the email — it’s possible scammers may try to capitalize on the confusion and send out phishing messages to trick users. You can change your password directly through Slack as well, although it appears this option isn’t available from the mobile app.
To do this, open Slack in your web browser, or open the app. Make sure you’re signed in, then click your profile image and select ‘View profile.’ Tap or click the ‘More’ option and select ‘Account settings.’ This should open a Slack webpage where you can edit settings like your password or email address.
Some organizations use Single Sign-On (SSO) for Slack, which means users won’t have a password. In that case, you won’t be able to change your Slack password as you never created one.
It’s also worth noting that you should update your other passwords if you use the same password with multiple web services. One of the best ways to avoid this kind of breach is to use a password manager with a unique, random password for each service. That way, if one is exposed, your other passwords remain secure.
Source: Android Police, The Verge