On Friday 5th February, we notified a small subset of Slack’s Android users that we had reset their passwords in response to a bug that logged credentials in plain text.
Subsequently following this, we identified a new subset of users that were impacted by the same bug. We sent notifications to these users on Thursday 25th March.
This reset included only a small subset of Android users who had entered their password between 11th January 2021 and 20th January 2021. Most mobile users sign in infrequently, so the vast majority of our Android users were not affected. Users who log in through a single-sign-on (SSO) provider were not affected at all.
Slack took this step in an abundance of caution, even though the risk of exposure of these logged passwords was very low and there is no evidence of any unauthorised or third-party access to affected accounts. The passwords were logged to the local device logs that are only visible to the Slack app on the device. On a properly operating Android device, there is no risk that any other apps could view these logs. Additionally, the space for these logs is limited to 512 kB and they may be overwritten quickly.
At this time, it is not necessary for notified Android users to take any additional steps. Slack has reset all known logged passwords, required users on the affected version to upgrade to a fixed version of the Android app, and notified these users and the primary owners of their workspaces of the issue. For more information on resetting Slack passwords, please refer to this article from Slack’s Help Centre.
Maintaining the security of your team and the privacy of your communications is important to us. We sincerely apologise for any disruption.