If you just got an email from Slack explaining that you need to reset your password with a large, phishy-looking link, this is legal. The company’s Android app accidentally recorded referrers in plain text, and affected customers are notified by email to reset their passwords. We touched Slack to make sure, and company representatives tell us it’s not a scam, they’re sending these emails themselves.
These top and bottom emails are legal; you are not fished.
Again, this is not a phishing attempt or anything like that, although it does seem at a glance. Emails are sent to Slack customers while we talk, and we are not sure if everyone will get one. Slack tells us that it only affected a small group of Android users who were notified this afternoon.
The email includes a link to reset your password. It is safe to click, or you can navigate directly to the Slack website yourself, log in and manually reset your password, if you want to be especially careful – but it is not really necessary. Just make sure your new password is correct.
Affected customers are also asked to delete the data from their Android app to get rid of the logs that are still hanging in your phone’s storage and store your credentials in plain text. There are a handful of ways to do this. Slack instructs customers to go to Settings -> Applications -> Slap -> Storage -> Clear Data or Storage. If that doesn’t work, you can long-press the Slack app or its icon in the multitasking menu and tap App information -> Storage -> Clear data or clear storage, or search the app in Settings. Note that you will need to sign in again after doing so.
If you used your Slack password on any other website, you will need to reset it there as well. Storing your passwords with Google is a great way to check with the built-in Chrome password-checking password available in Settings -> AutoFill -> Passwords to see if those who call it Slack are used elsewhere.
The version of the Android app that is responsible for this issue has been blocked, so there is no need to worry about the update: if your version is still working, it’s a good version. But you can download the latest version from the Play Store if you want to be sure.
The full text of the email is just below:
Hello,
Slack requires a password reset for the [redacted] account on [redacted]. We are taking this step as a precaution due to an error we discovered and there is no evidence of unauthorized or third party access to this account. It is important to us to maintain the security of your team and the privacy of your communications. We apologize for the inconvenience.
On December 21, 2020, Slack introduced an error that caused some versions of our Android app to report clear text user credentials on their device. Slack identified the issue on January 20, 2021, and corrected it on January 21, 2021. A fixed version of the Android app is available and we have blocked the use of the affected version (s).
Use the following link to set your new password immediately: [redacted]
Choosing a complex and unique password is highly recommended and is essential to protect the integrity of your account. We suggest using a password manager to keep track of your passwords for each service you use.
Finally, you can manually delete the logs from your device. Note that this action will also log you out of all Slack workspaces of which you are a member. We have already invalidated the login password, but if you have reused this Slack password to log in to other sites, it is highly recommended.
You can do this with the following instructions on your Android device:
Go to the Settings app from your Home screen
Scroll down and select Apps
Navigate to and select Slap
Choose storage
Click Clear Data on the left side of the screen
Click OK to confirm that you want to delete data
Log in to Slack with your new password
We are very sorry for the inconvenience we caused. If you have additional questions, you can respond directly to this notice. Our support team is ready and willing to help.
Friendly greeting
The team at Slack