When Uber was breached in September, the hacker remained undetected until they announced their presence within the org via Slack. This incident provides yet another example of Slack being leveraged by an attacker. In this post, we’re going to review some of the ways attackers have used Slack in breaches, why this is happening, and what you can do about it.
A brief history of hacks involving Slack
In the past few years, there have been a number of high-profile hacks where Slack was the primary target. We go into detail about these breaches in the video clip below:
Learn about two types of data exposure that can occur in Slack
These breaches include:
- Electronic Arts hack (2021): In the summer of 2021, video game publisher, Electronic Arts (EA), fell victim to a source code breach. The hacker used an employee Slack account to reach out to tech support in order to reset the credentials on that employee’s accounts.
- Twitter (2020): In the summer of 2020, Twitter was breached when a hacker found credentials to the platform’s backend inside of Slack.
What makes Slack a valuable target?
As the central communications hub for many organizations, Slack can be a valuable resource for some threat actors, depending on their objectives. Slack may be useful for hackers that are conducting:
- Reconnaissance. Through Slack, an attacker can learn of an organization’s structure as well as the SaaS applications that the company uses/has connected to Slack.
- Privilege escalation. Slack may also provide secrets or credentials that lead to other systems if employees have engaged in unsafe sharing of account credentials.
- Direct data breach. Sensitive information, like customer names, addresses, and credit card numbers might be in Slack in plain text depending on the types of employees that are using Slack (like customer service reps).
In the video clip below, we discuss how collaborative SaaS applications have led to an exponential increase in the amount of sensitive data companies store and share, and how threat actors have caught on to this:
This clip illustrates the threat landscape for SaaS applications and how data leakage occurs within these systems
On the dark web, Slack credentials sell from anywhere between $0.50 and up to $300. Historically, Slack account credentials have received minimal interest from hackers, but security researchers like Raveed Laeb, suspect that hacks like the Twitter hack and EA hack are likely tipping threat actors off on the value of Slack as a breach vector. While Slack likely won’t be a preferred vector in every hack, it will likely remain a low cost and enticing option. This means that more hackers may start to consider leveraging Slack in breaches, as doing so isn’t prohibitively expensive, and the ROI might be pretty high if Slack contains valuable data or leads to systems containing valuable data.
How you can keep Slack secure
Keeping Slack secure entails identifying where sensitive data, including secrets and credentials might be shared and then building best practices to mitigate this risk.
Five areas of data exposure within Slack
Within Slack, the following areas can contribute to sensitive data exposure:
- Slack connect channels introduce users from outside your organization who may not know or follow policies.
- Slack guest accounts must be provisioned appropriately, with access to the right channels and assets being maintained across their lifetime.
- Private channels create visibility constraints for security teams.
- File attachments create complexity by expanding the number of places where data can live, as well as the types of sensitive data they must look for.
- Retention policies must be actively managed in accordance to compliance and security policies and practices.
Watch the following clip to learn more about how to manage these areas of risk within Slack:
Learn about the most important areas within Slack to monitor for sensitive data leakage
Four best practices for securing data exposure risk in Slack
With knowledge of where data exposure is likely to occur within Slack, you can implement the following four best practices for keeping your Slack instance secure:
1. Enforce a consistent channel creation process that complements business objectives and security policies.
This first best practice entails adopting policies like naming channels by business function, so that users are clear about what can and cannot be discussed in specific channels. For good measure, monitor permissions on accounts regularly to ensure that only the appropriate parties have access to channels where business critical data is being shared.
2. Streamline Slack security with automated features like message and file retention time limits that map to your risk management & compliance strategies.
By default, Slack retains all content for the lifetime of your instance. This may or may not map to your compliance policies and objectives, which means you should review your Slack retention settings in order to confirm if the default setting is appropriate for your organization.
3. Identify engaged stakeholders who will serve as Slack admins and aid employee education and policy enforcement.
Having employees who are aware of best practices for sharing sensitive data in Slack is important, as these employees can play a role in enforcing policy and educating employees whenever possible.
4. Invest in technologies like cloud data loss prevention (DLP) which can monitor designated channels for sensitive data exposure.
With the right tools in place, like data loss prevention, companies can monitor channels (even private channels) to ensure appropriate usage and sharing of sensitive data in Slack. Nightfall, for example, can scan all Slack channels in a workspace (even DMs) for passwords, API keys, credit card numbers and much more. If you want to learn more about Nightfall for Slack, watch a demo, request a free trial, or schedule a call with us.
Learn about four best practices for managing sensitive data in Slack