A couple of years after the data breach that forced a massive password reset, operators of the Slack email service have asked their users on Android devices to reset their user credentials again, which would have been exposed in plain text.
Through a security alert received via email, users of this Android platform were notified of the reset of their password as a preventive measure in the face of this incident. While many users might ignore this message because it has been assigned an “apparently malicious content” tag, Slack developers have confirmed that this is a legitimate security alert, so users will need to change their password immediately.
Everything seems to indicate that, by mistake, the Slack app for Android systems started recording user credentials in plain text. The company has requested to implement this measure in the face of the possibility that groups of threat actors would try to use this information for subsequent attacks, such as credential stuffing attacks. In a credential stuffing attack, cybercriminals create software to try to access online accounts in an automated manner using usernames and passwords exposed in previous security incidents.
“A security error led to the registration of some passwords in clear text on users’ devices,” the security alert mentions. Slack mentions that the error only affected a small number of users, while the service for computers with iOS system was not compromised. The flaw was corrected in January 2021 immediately after receiving the report; although security patches are not unique to the latest version of Slack for Android, users are advised to update the app available in the Play Store.
On the other hand, the developers also invited users of the Android app to empty all the data stored in this service in order to delete the plain text records that might persist in the memory of their devices; to complete this action just go to menu Settings >Apps >Slack >Storage >Clear Data/Clear Storage.
Users can also do this by simply holding down the Slack app icon in the multitasking menu and going to App Information> Storage> Clear Data/Clear Storage.
Remember to sign in again after you have made the necessary changes. Be sure to reset your password on all accounts or websites where you used the Slack password to prevent subsequent incidents.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
