In the post-pandemic world, communication technology is vital for workplaces to function and every day, countless professionals start their mornings by logging into Slack.
The popular cloud-based messaging app is everywhere. Since its release date in 2013, Slack has amassed 38.8 million users, including companies representing 77% of the Fortune 100.
However, security has long been an issue for the company, and Slack is now facing yet another cybersecurity controversy. Thousands of Disney's (DIS) internal messages have leaked after the entertainment powerhouse fell victim to a 1.2 terabyte hack from the self-proclaimed activist group NullBulge.
Slack, the Salesforce- (CRM) owned communication company, was a key component in the breach. Nearly all of the leaked data came from the Slack platform. The leak included images, computer code, logins, unreleased project information, studio technology, ad campaigns, and job applicants.
Slack's history of cyber incidents
This Disney data leak is only one among five recent Slack-incurred hacks. Uber (UBER) , EA Games (EA) , Grand Theft Auto (TTWO) , Twitter/X, and even Slack itself have all been targeted in a wave of Slack-based cyberattacks, raising concerns about the $26.5 billion company's security measures.
Slack's high use and high data storage make it an attractive gateway for hackers looking to target prominent corporations. There were high economic and business consequences for the companies caught up in these breaches:
- Uber: Suffered $3 Million in damages from a hack of their #general slack channel.
- EA Games: Hackers released 780GB on the cybercrime forum.
- Rockstar Games' Grand Theft Auto: Game footage leaked, costing $5 million in recovery.
- Twitter/X: 130 high-profile accounts leaked, which led to a 4% stock price drop.
- Slack: Hackers hijacked thousands of active accounts, costing them $1.9 million.
Most Slack chat channels are public to all users, and one breached account can open the floodgates.
Profile breaches and third-party threats
Slack credentials are constantly breached. An analysis from the cybersecurity firm KELA found over 17,000 credentials — belonging to 12,000 different Slack workplaces — that had been offered for sale online across the dark web and hacking forums.
Another significant threat is that Slack offers third-party app integration to streamline organizations' platform use. Third-party apps in Slack platforms are a vast supply chain risk, as many will ask for extensive permissions. Still, even the seemingly benign request to "read from all public channels" allows access to endless amounts of data.
More Technology:
- Big tech company files Chapter 7 bankruptcy, closes abruptly
- Spectrum is quietly planning a major pricing change
- Switching phone companies may get a lot less frustrating
Top Slack security risks
- Data retention: Slack stores all data indefinitely. The data includes messages, login information, and any file uploads.
- Third-party integration: One of Slack's highest selling points and highest risks. Sensitive data stored in Slack accessed by potentially unsecured third-party apps.
- System vulnerabilities: Hashed passwords leaked for five years until 2022. Safety is not a hallmark of Slack, and this 'slip-up' was caused by a lack of monitoring.
Expert perspectives
Dr. Diane M. Janosek, a global cybersecurity leader, highlighted the challenges online collaboration tools like Slack pose to businesses.
According to Janosek, while these tools aid businesses in operating at net speed and increasing efficiency, there are security vulnerabilities due to the ubiquitous nature of personal and work devices.
Shawn Loveland, COO of Resecurity, informed TheStreet that "Slack has vulnerabilities customers need to monitor and mitigate accordingly."
Regarding the Disney breach, both Janosek and Loveland confer that any cloud collaboration tool poses a threat to a hack of that nature. Loveland notes that most cases of malicious access to Slack stem from infected malware on employees' devices.
Both professionals encourage continuing use of Slack for business needs, as long as the company consistently monitors security, as it should for any cloud collaboration software.
Related: Veteran fund manager picks favorite stocks for 2024