On Friday, February 5, we notified a small subset of Slack’s Android users that we had reset their passwords in response to a bug that logged credentials in plain text.
Subsequently following this, we identified a new subset of users that were impacted by the same bug. We sent notifications to these users on Thursday, March 25.
This reset included only a small subset of Android users who had entered their password between January 11, 2021, and January 20, 2021. Most mobile users sign in infrequently, so the vast majority of our Android users were not impacted. Users who log in through a single-sign-on (SSO) provider were not impacted at all.
Slack took this step in an abundance of caution, even though the risk of exposure of these logged passwords was very low and there is no evidence of any unauthorized or third-party access to impacted accounts. The passwords were logged to the local device logs that are visible only to the Slack app on the device. On a properly operating Android device, there is no risk that any other apps could view these logs. Additionally, the space for these logs is limited to 512KB and they may be overwritten quickly.
At this time, there are no additional steps necessary for notified Android users to take. Slack has reset all known logged passwords, required users on the impacted version to upgrade to a fixed version of the Android app, and notified these users and the Primary Owners of their workspace of the issue. For more information on resetting Slack passwords, please refer to this article from Slack’s Help Center.
Maintaining the security of your team and the privacy of your communications is important to us. We sincerely apologize for any disruption.