Slack is a great team-communication app, but recently the company behind it made a huge blunder. A December 2020 update to the android version of the app has potentially exposed every user’s password. If you have had the app installed on your Android device since December 2020, you need to change your password straight away.
The Slack Bug That Made You Vulnerable
In December 2020, the developers behind Slack published an update to the Google Play Store. This update made some key changes to the way the app stores your password. In some versions of the app, passwords were stored in standard, plain-text documents that were completely unencrypted.
Since then, the company released another update that cleared the bug, but passwords were left exposed during that period. If you used the app at all between December and January, you might have been exposed yourself.
What to Do About the Slack Bug
Your first step should be to change your Slack account password. Unfortunately, the company behind the app doesn’t make it particularly easy to access the password options on your account. There is currently no way of changing your password from the mobile-application versions of the software. Instead, you must log in to the app’s desktop version and jump through some serious hoops to change your settings. Follow the guide below to secure your Slack account.
Open the desktop app and click on your profile picture in the top right of the screen.
Click ‘View Profile’ in the dropdown menu.
Click ‘More’ in the sidebar.
Click ‘Account Settings’ in the dropdown menu. The link will be opened in your default web browser.
Click ‘expand’ under the ‘Password’ heading.
Enter your current password to confirm your identity and your new password beneath it. Click ‘Save Password’ to confirm.
Ensure you’re using a strong password. Follow our guide on common password mistakes to avoid making a blunder. You should change your password on any other sites that use the same password, preferably to something unique.
Slack Needs to Make Changes
This security bug has highlighted some changes that Slack needs to make. The round-about way you have to change your password is no good. If you were hacked, you’d have to quickly change your password, and clicking 5 times to get to the password change screen is a few clicks too many. Not to mention, the method of changing your password is incredibly unintuitive for users.
It’s clear that something needs to change about the app’s updating procedure as well. A security flaw this severe should never have been published in the first place. When updating applications that handle sensitive data, extra care needs to be taken. Even more excellent care is needed when that application is published to Android, which is an incredibly vulnerable platform for data safety.
In the meantime, you should make sure you’re using 2FA on your Slack account and using a unique password for the app. If this situation happens again, at least the only account made vulnerable will be Slack itself.
Worried about hackers? Order our comprehensive security audit here.
Featured image by rafapress from Shutterstock.com