You might want to change your Slack password if you used the app on Android. According to an email sent out by the company and published by Android Police, the Android version of the Slack app stored users’ credentials in plain text between December 21st and January 21st, theoretically meaning other apps on your phone could have had access to them. Slack says it hasn’t seen any unauthorized access, and that it’s already emailed all affected users and invalidated their passwords — so if you had to enter in a new password when you opened the app, that could be why.
After we published this story, the company reached out to clarify that it believes your passwords were still secure — the logs would be private unless users had a rooted phone with protections turned off. The company also says this only affected users who logged on with their email address and passwords during that one-month period — whereas a lot of large organizations, The Verge included, use a single-sign-on (SSO) system instead. If you use SSO, or were already logged in, you shouldn’t have been affected.
If you’ve got the popular communications tool installed on your Android phone, the first thing you’ll want to do is update to the latest version from the Play Store, since changing your password won’t do any good if you’re still running the old version. Then, if you got the email from Slack, you can click on the link to change your password. You can also do it manually from a desktop computer using Slack’s instructions.
First, sign in to Slack, then go to your profile, which can be accessed by clicking your picture in the top right-hand corner of the app or web app and clicking View Profile. Then, click the More button and Account Settings. From there, you should be able to change your password.
Of course, if you used your Slack password on other websites, you should change your passwords for those, too (preferably to something unique).
Update February 11th, 12:35AM ET: Added Slack’s clarification that the passwords were stored in private logs, and that the issue should have only affected users who logged in with an email and password specifically during the one-month period.