Nothing throws a wrench into productivity like a data breach.
Slack is a top-rated productivity tool, saving organizations time and resources, until it turns out that some sensitive data was compromised and then… oh, no.
This post will review several Slack cyber security incidents that have happened on corporate Slack instances over the past few years. We’ll identify the threat and its impact or potential impact.
Then we’ll discuss the practical steps with which you can secure your corporate Slack, preventing a similar fate from befalling your organization.
But first…
What is Slack cyber security?
Slack cyber security is the tools and processes by which you protect your Slack user accounts and data assets. If Slack cyber security is not effective enough, the resulting access bad actors get to your Slack accounts and assets can pose several types of danger to your organization.
If bad actors find sensitive or confidential data in your Slack and expose that data, your organization may face strategic loss, reputational damage and/or legal penalties.
Additionally, sometimes information posted in your Slack channels (e.g. encryption keys, login details) can give bad actors access to other corporate systems, enabling them to expand their negative impact on your organization’s security.
The top 4 cybersecurity threats on Slack (with real world examples)
1. Insider threats: the case of Disney
In July 2024, hacker group Nullbulge exfiltrated and exposed 1.1TB of data from Disney’s internal Slack channels. The data included login credentials, unreleased projects, computer code, images and links to internal websites and APIs.
How did Nullbulge get in to Disney’s Slack? They claim there was an insider who was helping them (who later stopped, apparently, with Nullbulge “punishing” him by exposing plenty of his personal data on the internet).
Insider threats are a particularly potent cyber security risk for your Slack (and any other corporate SaaS systems) due to difficulty of detection. After all, the insider has a legitimate account that is supposed to be active in your systems! How are you supposed to tell that they’re doing illegitimate things? (Spoiler: in the next section we show how you CAN tell.)
Following the breach, Disney decided to stop using Slack as an internal communications tool, although they have been quiet about the specific negative impacts caused by the breach.
The primary negative impact from this type of breach is often that of sensitive data exposure:
- Exposure of intellectual property and unreleased projects can spoil a strategic advantage.
- Exposure of confidential financials can hurt business positioning and evaluation.
- Exposure of PII (personal identifiable information) can lead to legal action and financial penalties.
And exposure of any sensitive data can damage the reputation of the business who suffers the breach; no one wants to entrust their data to someone who has proven untrustworthy with others’ data.
2. Risky retained access: the case of Gizmodo
In a “let’s see if I can do this”-type prank, former Gizmodo employee Tom McKay maintained his employee Slack account - and used it actively! - for months after leaving the company.
How did he succeed?
Tom switched his username to “Slackbot” (note: that “o” is not a standard “o”; it’s a special character that looks like “o” - which is why Slack didn’t refuse the change on the grounds that the username was taken already). He also switched out his profile picture with a modified image of the Slackbot icon.
These changes camouflaged Tom’s account and kept it under the radar of Gizmodo’s IT, information security and HR teams.
While this particular case of retained Slack access was done and used purely for kicks, the same techniques could clearly be used by real threat actors out for personal gain:
- an ex-employee who has left to a competitor wants to keep tabs on their former company’s plans
- an external contractor from a long-ago-finished project can still peek at current projects or conversations
- a user changes their account to impersonate management and ask for confidential information
When Slack access persists for longer than it should, it extends an invitation to risk.
3+4. Stolen cookies + social engineering: the case of EA Games
What happened to EA Games demonstrates two different Slack cybersecurity threats… and how they can be used together for hacking synergy (note: if you’re a target, that synergy is a bad thing).
The incident starts with stolen Slack cookies that were being sold online. The hacker who purchased the cookies found one had apparently been that of a user on EA Games’ corporate Slack. The cookie enabled him to login into EA’s Slack as this EA employee user.
Once inside Slack as the ‘employee,’ the hacker used Slack to communicate with the company’s IT support. “I lost my phone at a party last night, and so I can’t do the MFA to login to the EA internal systems. Can you help me?” was the gist of the message.
This social engineering attack did the trick; the support tech provided the ‘employee’ with an MFA token. The hacker was in.
What happened to EA as a result?
The hackers exfiltrated over 780GB of source code from EA’s internal code repositories. They tried to find buyers on the underground market, but no one was interested enough.
They then turned to EA directly, demanding that the company pay them - or they would publicly expose all this proprietary data. EA refused; the hackers released all the data on the internet.
EA lost the confidentiality of their proprietary data and intellectual property. They had to deal with an extortion attempt. Even though they decided not to invest financial resources into paying a ransom, they still had to put HR and psychological resources into figuring out how to respond - and how to recover.
Data security isn’t a game.
Best practices for securing Slack
How can you prevent the above scenarios from repeating themselves at your organization?
Let’s go through the threats one by one and discuss best practices for preventing or mitigating them. And it’s not just for Slack; all of these apply equally to other corporate SaaS systems, such as Google Workspace or Microsoft 365.
Address insider threats with insider risk management
Insiders are a Catch-22. You need to trust them, or you won’t be able to get anything done for the business. But on the minority of occasions when that trust is betrayed, it can damage the business tremendously.
It is also much harder to detect an insider threat, because the insider is supposed to be inside your systems. It’s like a mystery novel where the protagonist needs to figure out who committed the murder at a party where he personally invited all the attendees!
You need effective insider risk management solutions in order to combat insider risk. These solutions include user behavior monitoring tools, which let you judge a person by what they do, not just be the credentials they present. So, for example, you can monitor a user’s:
- Login activity
- Interaction with apps and assets
An insider can be either a true insider (an actual employee gone bad) or a person impersonating an insider using stolen or engineered credentials (like the hacker who got into the EA employee’s account and presented himself as the EA employee). Insider risk management works either way by watching what the account is doing within your systems and pointing out anomalies.
Fix risky retained access with effective offboarding workflows
If you want to make sure that no user sticks around after their time is up, you need a seamless, automated process to take care of offboarding.
Employees who leave and contractors who finish their contracted projects should have the following promptly removed:
- Their SaaS user accounts
- Asset permissions granted to them
- Any asset permissions they gave to personal accounts
Unless you have a very small business, the only way you can ensure this happens is with some type of automated offboarding workflow. Otherwise something will inevitably fall through the cracks.
Deal with social engineering through user involvement in mitigation
Your company’s cyber security posture is only as good as its weakest link. In many cases, that happens to be your end users. Intuition and compassion are wonderful traits, but they can on occasion steer us as humans in the wrong direction.
Remember the EA Games support person who (ostensibly) felt compassion for the poor EA employee that had lost their phone and was now locked out of the systems they needed for work. The compassion led him to provide an MFA token… which measurably harmed the organization.
How can you help your end users to retain their positive traits (like compassion) and uproot negative traits (like laziness) in situations where acting on those traits puts your data security at risk?
The answer is user involvement.
Using this approach, a user attempting to post an encryption key to or share an MFA token over a Slack channel, would receive a message informing them of and explaining the issue, and requesting them to remediate.
User education in real time not only takes care of the security issue at hand, but actively increases the user’s awareness for the future.
Improve overall data security by keeping certain types of confidential data out of Slack
Cyber security is never 100%. No matter the security measures you take, there is always a chance that your Slack could be breached and your data could be exposed. With this in mind, some data should just never be put into Slack.
What kind of information falls into this category? Some examples include:
- Data that gives higher levels of access to your other corporate systems
- Data that could compromise business functionality
- Data that, if exposed, would require legal disclosure of a data breach
Before you put potentially sensitive data into Slack, ask yourself: what would happen if this got leaked? If the very thought makes you feel like you’re about to pass out, then you should probably find a more secure way to share it.
Tools to enhance Slack security
Most of the above practices require some type of tool to effectively implement them.
Identity risk profiling tools, for example, are essential for pinpointing insider threats and identity security threats.
DLP (data loss prevention) tools are necessary for evaluating the information that is posted to or accessed from your Slack, identifying the sensitive data within and ensuring that any attempts at exfiltration, deletion or corruption are stopped in their tracks. Slack’s native DLP function is rather weak, but there are multiple official Slack DLP partners that you can work with.
A solution for automated workflows is the key to ensure that complete offboarding happens automatically, and that employees slated to depart the company are watched more carefully in their application and asset interaction. If the departing sales team manager suddenly downloads files containing lists of leads, that should be picked up immediately and automatically remediated before the data leaves your control.
Slack security compliance and policies
Slack meets some compliance regulations out of the box; for others, compliance is possible but requires special configuration.
If you operate in a regulated industry with high data governance standards, Slack supports connections with verified eDiscovery and DLP providers.
Slack also has a special GovSlack version with higher inherent standards for government organizations.
FAQ
How does Slack handle data privacy?
Slack encrypts data in transit and at rest, adheres to global privacy regulations like GDPR and CCPA, and offers customizable data retention policies. Workspace owners control data access and retention, while Slack maintains strict security measures to protect user information.
Can I monitor Slack for security threats?
Yes, you can monitor Slack for security threats using its Audit Logs API, which tracks user and app activities. Integrating Slack with DLP (Data Loss Prevention), Identity Security, and Security Information and Event Management (SIEM) tools enhances threat detection and response capabilities.
What should I do if my Slack account is compromised?
If your Slack account is compromised, immediately reset your password and enable two-factor authentication (2FA). Notify your workspace admin to review recent activity and consider using the Audit Logs API for investigation. Revoke any unauthorized app integrations and update your security settings to prevent future breaches.
Meet DoControl - The #1 Multi-Layer SaaS Security Solution
DoControl was designed expressly for the multiple layers and attack surfaces of Slack: data, identities, configurations and connected apps. Each of those must be fully secured in order to protect you against Slack data breaches.
DoControl’s Data Access Governance and Data Loss Prevention secure your data all across your SaaS ecosystem. Advanced data classification methods mean that no sensitive data goes undiscovered, and automated workflows mean that any detected threat can be mitigated in near real-time.
DoControl’s Identity Threat Detection & Response (ITDR) and Insider Risk Management secure your Slack and other SaaS user identities, protecting you from external threat actors or insider threats. Behavior benchmarking for individuals and groups, along with important contextual information from HRIS, EDR and IdP systems enable smart differentiation between normal business activity and suspicious actions.
DoControl’s Shadow App Discovery & Remediation secure your third-party OAuth connected apps by monitoring app behavior and removing unnecessary apps and app permissions.
DoControl’s SaaS Misconfiguration Management secures your admin configurations, checking them against industry standards like CIS and offering remediation guidance.
Don’t Slack off on your cyber security
If it could happen to Disney, Gizmodo and EA Games, it could happen to your organization also. But you have one advantage that these big players didn’t have: you can learn from their mistakes.
Go back over the points in this post, review and apply.
Slack on!
.png)
