Blog
September 23, 2024

Is Slack Safe & Secure for your Business? Risks & Vulnerabilities

Discover the hidden dangers of using Slack for your business. Learn how sensitive data like passwords and credit cards can be easily exposed through accidental sharing or hacking.

Download
Download

Key Points:

  • While Slack improves communication and productivity, it can also be a breeding ground for data breaches. Sensitive information like passwords and credit card details can be easily shared accidentally or through hacking.
  • The vast amount of data stored indefinitely, weak encryption, and easy integration with third-party apps make Slack a target for hackers. Leaked credentials and phishing attacks are common threats.
  • Companies must implement data security tools to monitor data flow, control access, and ensure compliance with regulations. Regularly updating Slack and revoking access for external users are crucial steps.
  • Metomic's data security integration for Slack sweeps it extensively to pick up any valuable information that, in the hands of the wrong person, could jeopardise your company’s future.

Thanks to Slack, communication has become quicker, smoother and more streamlined, with companies becoming hugely dependent on the tool. This has led to huge productivity but businesses need to ensure that these do not come at the expense of data privacy and security.

What type of sensitive data can be found in Slack?

As easy-to-use and convenient as Slack is, it’s near-impossible to see or control what information is being shared across the plethora of channels every company has. This can include sensitive data such as:

  • Email log-ins
  • Twitter or Facebook credentials
  • Credit card details
  • API keys
  • Personal addresses
  • Passwords to the various other platforms and tools used by businesses

This sensitive data can be innocuously exchanged in a casual Slack chat between two colleagues. Even worse, it can be dropped into a group channel where hundreds of others are able to see the information before sharing it. As employers, there’s no way of knowing how far this information is being disseminated internally and how compromising this data leakage may be. 

The situation was exacerbated by the pandemic. Between 10 March 2020 and 25 March 2020, Slack’s concurrent users rose from 10 million to 12.5 million, widening the pool of data shared via the platform that is festering within each business.

Then there’s the data that can be drawn in from third-party services connected to the platform. Zapier is the key to this, acting as a cyber bridge between Slack and the various different apps companies use on a daily basis.

Is Slack safe & secure for your business?

As an invite-only platform, Slack may lead some users to assume that their workplace is safe and secure - but this simply isn’t the case. In many ways, it holds the keys to a business’ kingdom, and once hackers find a way in, there’s the potential for concern and trouble….

What are the security concerns with Slack?

With all this sensitive data circulating within Slack, your company is vulnerable - especially if hackers gain access to the platform. And with the vast majority of Slack chat channels public to all users, it only takes one breached account to open the floodgates.

Last year, analysis from the cybersecurity firm KELA showed that Slack credentials are abundant on hacking forums and the dark web. The company says it found more than 17,000 credentials - belonging to 12,000 different Slack workplaces - that had been offered for sale online via hacking forums and marketplaces like Genesis. 

Nor does Slack encrypt end-to-end communications — a soft spot that could, in theory, be exploited not just by hackers but third-party apps pulling data.

George Avetisov, chief executive officer of security company HYPR, said employee gossip makes Slack and other office chat programs an appealing target for hackers.

5 Top Security Risks in Slack

1. Data Retention

By default, Slack stores all data within the platform indefinitely. That means every message, every channel, and every file shared remains within the platform, unless admins put retention periods in place to stop this happening. While this is beneficial for users to find shared documents or past conversations, it can also mean your attack surface is widened by the amount of data building up within Slack.

2. Phishing

Bad actors can use phishing techniques to get into your Slack environment, giving them access to files and documents shared in public channels. If an unauthorised user gains access to your Slack environment, they can also easily amend their picture and their name to impersonate senior personnel within the company. This could lead to other employees being extorted for financial gain.

3. Third party integrations

It's easy to integrate third party apps with Slack, helping your team become more productive with support tickets or explainer videos at their fingertips. However, this also introduces new risks into the Slack environment, with sensitive data peppered throughout your ecosystem. With the ability to read messages, and access user data, third party integrations should only be authorised by an admin in the security team.

4. Adding external people into your environment

Working with contractors or freelancers via Slack is an easy way to keep in touch. But when a project ends, their access to your Slack environment should be withdrawn. Failure to do so results in individuals having access to your files and documents for longer than necessary, increasing the chances of data leakage.

5. System vulnerabilities

In 2022, it was revealed that Slack had leaked hashed passwords for five years, with 0.5% of Slack users having to change their passwords as a result. The platform itself is not infallible, and security teams should stay up to date with the latest news from Slack to ensure they're making the most of the security measures available to them.

Why should businesses pay attention? 

Organisations may see Slack as an integral tool for the business, and with millions of users worldwide, it's hard to argue otherwise. However, security teams must be sure to implement the necessary security measures to ensure data shared within Slack is only seen by authorised users.

Without a data security tool in place, it can be difficult for security professionals to understand who is sharing sensitive data, who has access to it, and where it lives. Having this visibility and control over data flow is vital to ensure data is protected from leaks or breaches, and the organisation is remaining compliant with industry regulations such as GDPR, and HIPAA.

Read more: Making Slack HIPAA Compliant: A Guide for Healthcare Organisations

Report: How bad can a Slack data breach get?

Did you know the average employee shares 600 pieces of Personal Identifiable Information in Slack, including:

- 478 email addresses

- 76 phone numbers

- 4 driving licenses

- 8 credit card numbers

- 2 dates of birth

Find how you can make Slack more compliant and avoid costly data breaches by downloading our Slack whitepaper.

Why is Slack worried?

The San Francisco-based company warned way back in April of 2019 that hackers gaining access to customers' Slack accounts would be a disaster. 

In its IPO filing, the firm wrote: "Users or organizations on Slack may also disclose or lose control of their API keys, secrets, or passwords.”

This "could lead to unauthorized access to their accounts and data within Slack,” the filing noted. "In addition, a breach of the security measures of one of our partners could result in the destruction, modification, or exfiltration of confidential corporate information, or other data that may provide additional avenues of attack."

Companies now have sensitive customer information, passwords, company credit cards and IP addresses floating around in Slack DMs and channels. Businesses simply can’t afford to take the risk of having this level and amount of sensitive information in Slack. 

How can Metomic make Slack secure for your business?

This is where Metomic comes into play. Our data security platform is capable of integrating with Slack and sweeping it extensively to pick up any valuable information that, in the hands of the wrong person, could jeopardise your company’s future.

We give you: 

  • Visibility over data shared within Slack including emails, social security numbers, passwords, and more, before classifying and securing it
  • Insights into who has access to your data, and where your data is flowing
  • The knowledge needed to adopt the right strategy in response

To find out more about how Metomic can secure your Slack application, book a personalised demo with one of our security experts today.

Key Points:

  • While Slack improves communication and productivity, it can also be a breeding ground for data breaches. Sensitive information like passwords and credit card details can be easily shared accidentally or through hacking.
  • The vast amount of data stored indefinitely, weak encryption, and easy integration with third-party apps make Slack a target for hackers. Leaked credentials and phishing attacks are common threats.
  • Companies must implement data security tools to monitor data flow, control access, and ensure compliance with regulations. Regularly updating Slack and revoking access for external users are crucial steps.
  • Metomic's data security integration for Slack sweeps it extensively to pick up any valuable information that, in the hands of the wrong person, could jeopardise your company’s future.

Thanks to Slack, communication has become quicker, smoother and more streamlined, with companies becoming hugely dependent on the tool. This has led to huge productivity but businesses need to ensure that these do not come at the expense of data privacy and security.

What type of sensitive data can be found in Slack?

As easy-to-use and convenient as Slack is, it’s near-impossible to see or control what information is being shared across the plethora of channels every company has. This can include sensitive data such as:

  • Email log-ins
  • Twitter or Facebook credentials
  • Credit card details
  • API keys
  • Personal addresses
  • Passwords to the various other platforms and tools used by businesses

This sensitive data can be innocuously exchanged in a casual Slack chat between two colleagues. Even worse, it can be dropped into a group channel where hundreds of others are able to see the information before sharing it. As employers, there’s no way of knowing how far this information is being disseminated internally and how compromising this data leakage may be. 

The situation was exacerbated by the pandemic. Between 10 March 2020 and 25 March 2020, Slack’s concurrent users rose from 10 million to 12.5 million, widening the pool of data shared via the platform that is festering within each business.

Then there’s the data that can be drawn in from third-party services connected to the platform. Zapier is the key to this, acting as a cyber bridge between Slack and the various different apps companies use on a daily basis.

Is Slack safe & secure for your business?

As an invite-only platform, Slack may lead some users to assume that their workplace is safe and secure - but this simply isn’t the case. In many ways, it holds the keys to a business’ kingdom, and once hackers find a way in, there’s the potential for concern and trouble….

What are the security concerns with Slack?

With all this sensitive data circulating within Slack, your company is vulnerable - especially if hackers gain access to the platform. And with the vast majority of Slack chat channels public to all users, it only takes one breached account to open the floodgates.

Last year, analysis from the cybersecurity firm KELA showed that Slack credentials are abundant on hacking forums and the dark web. The company says it found more than 17,000 credentials - belonging to 12,000 different Slack workplaces - that had been offered for sale online via hacking forums and marketplaces like Genesis. 

Nor does Slack encrypt end-to-end communications — a soft spot that could, in theory, be exploited not just by hackers but third-party apps pulling data.

George Avetisov, chief executive officer of security company HYPR, said employee gossip makes Slack and other office chat programs an appealing target for hackers.

5 Top Security Risks in Slack

1. Data Retention

By default, Slack stores all data within the platform indefinitely. That means every message, every channel, and every file shared remains within the platform, unless admins put retention periods in place to stop this happening. While this is beneficial for users to find shared documents or past conversations, it can also mean your attack surface is widened by the amount of data building up within Slack.

2. Phishing

Bad actors can use phishing techniques to get into your Slack environment, giving them access to files and documents shared in public channels. If an unauthorised user gains access to your Slack environment, they can also easily amend their picture and their name to impersonate senior personnel within the company. This could lead to other employees being extorted for financial gain.

3. Third party integrations

It's easy to integrate third party apps with Slack, helping your team become more productive with support tickets or explainer videos at their fingertips. However, this also introduces new risks into the Slack environment, with sensitive data peppered throughout your ecosystem. With the ability to read messages, and access user data, third party integrations should only be authorised by an admin in the security team.

4. Adding external people into your environment

Working with contractors or freelancers via Slack is an easy way to keep in touch. But when a project ends, their access to your Slack environment should be withdrawn. Failure to do so results in individuals having access to your files and documents for longer than necessary, increasing the chances of data leakage.

5. System vulnerabilities

In 2022, it was revealed that Slack had leaked hashed passwords for five years, with 0.5% of Slack users having to change their passwords as a result. The platform itself is not infallible, and security teams should stay up to date with the latest news from Slack to ensure they're making the most of the security measures available to them.

Why should businesses pay attention? 

Organisations may see Slack as an integral tool for the business, and with millions of users worldwide, it's hard to argue otherwise. However, security teams must be sure to implement the necessary security measures to ensure data shared within Slack is only seen by authorised users.

Without a data security tool in place, it can be difficult for security professionals to understand who is sharing sensitive data, who has access to it, and where it lives. Having this visibility and control over data flow is vital to ensure data is protected from leaks or breaches, and the organisation is remaining compliant with industry regulations such as GDPR, and HIPAA.

Read more: Making Slack HIPAA Compliant: A Guide for Healthcare Organisations

Report: How bad can a Slack data breach get?

Did you know the average employee shares 600 pieces of Personal Identifiable Information in Slack, including:

- 478 email addresses

- 76 phone numbers

- 4 driving licenses

- 8 credit card numbers

- 2 dates of birth

Find how you can make Slack more compliant and avoid costly data breaches by downloading our Slack whitepaper.

Why is Slack worried?

The San Francisco-based company warned way back in April of 2019 that hackers gaining access to customers' Slack accounts would be a disaster. 

In its IPO filing, the firm wrote: "Users or organizations on Slack may also disclose or lose control of their API keys, secrets, or passwords.”

This "could lead to unauthorized access to their accounts and data within Slack,” the filing noted. "In addition, a breach of the security measures of one of our partners could result in the destruction, modification, or exfiltration of confidential corporate information, or other data that may provide additional avenues of attack."

Companies now have sensitive customer information, passwords, company credit cards and IP addresses floating around in Slack DMs and channels. Businesses simply can’t afford to take the risk of having this level and amount of sensitive information in Slack. 

How can Metomic make Slack secure for your business?

This is where Metomic comes into play. Our data security platform is capable of integrating with Slack and sweeping it extensively to pick up any valuable information that, in the hands of the wrong person, could jeopardise your company’s future.

We give you: 

  • Visibility over data shared within Slack including emails, social security numbers, passwords, and more, before classifying and securing it
  • Insights into who has access to your data, and where your data is flowing
  • The knowledge needed to adopt the right strategy in response

To find out more about how Metomic can secure your Slack application, book a personalised demo with one of our security experts today.

Key Points:

  • While Slack improves communication and productivity, it can also be a breeding ground for data breaches. Sensitive information like passwords and credit card details can be easily shared accidentally or through hacking.
  • The vast amount of data stored indefinitely, weak encryption, and easy integration with third-party apps make Slack a target for hackers. Leaked credentials and phishing attacks are common threats.
  • Companies must implement data security tools to monitor data flow, control access, and ensure compliance with regulations. Regularly updating Slack and revoking access for external users are crucial steps.
  • Metomic's data security integration for Slack sweeps it extensively to pick up any valuable information that, in the hands of the wrong person, could jeopardise your company’s future.

Thanks to Slack, communication has become quicker, smoother and more streamlined, with companies becoming hugely dependent on the tool. This has led to huge productivity but businesses need to ensure that these do not come at the expense of data privacy and security.

What type of sensitive data can be found in Slack?

As easy-to-use and convenient as Slack is, it’s near-impossible to see or control what information is being shared across the plethora of channels every company has. This can include sensitive data such as:

  • Email log-ins
  • Twitter or Facebook credentials
  • Credit card details
  • API keys
  • Personal addresses
  • Passwords to the various other platforms and tools used by businesses

This sensitive data can be innocuously exchanged in a casual Slack chat between two colleagues. Even worse, it can be dropped into a group channel where hundreds of others are able to see the information before sharing it. As employers, there’s no way of knowing how far this information is being disseminated internally and how compromising this data leakage may be. 

The situation was exacerbated by the pandemic. Between 10 March 2020 and 25 March 2020, Slack’s concurrent users rose from 10 million to 12.5 million, widening the pool of data shared via the platform that is festering within each business.

Then there’s the data that can be drawn in from third-party services connected to the platform. Zapier is the key to this, acting as a cyber bridge between Slack and the various different apps companies use on a daily basis.

Is Slack safe & secure for your business?

As an invite-only platform, Slack may lead some users to assume that their workplace is safe and secure - but this simply isn’t the case. In many ways, it holds the keys to a business’ kingdom, and once hackers find a way in, there’s the potential for concern and trouble….

What are the security concerns with Slack?

With all this sensitive data circulating within Slack, your company is vulnerable - especially if hackers gain access to the platform. And with the vast majority of Slack chat channels public to all users, it only takes one breached account to open the floodgates.

Last year, analysis from the cybersecurity firm KELA showed that Slack credentials are abundant on hacking forums and the dark web. The company says it found more than 17,000 credentials - belonging to 12,000 different Slack workplaces - that had been offered for sale online via hacking forums and marketplaces like Genesis. 

Nor does Slack encrypt end-to-end communications — a soft spot that could, in theory, be exploited not just by hackers but third-party apps pulling data.

George Avetisov, chief executive officer of security company HYPR, said employee gossip makes Slack and other office chat programs an appealing target for hackers.

5 Top Security Risks in Slack

1. Data Retention

By default, Slack stores all data within the platform indefinitely. That means every message, every channel, and every file shared remains within the platform, unless admins put retention periods in place to stop this happening. While this is beneficial for users to find shared documents or past conversations, it can also mean your attack surface is widened by the amount of data building up within Slack.

2. Phishing

Bad actors can use phishing techniques to get into your Slack environment, giving them access to files and documents shared in public channels. If an unauthorised user gains access to your Slack environment, they can also easily amend their picture and their name to impersonate senior personnel within the company. This could lead to other employees being extorted for financial gain.

3. Third party integrations

It's easy to integrate third party apps with Slack, helping your team become more productive with support tickets or explainer videos at their fingertips. However, this also introduces new risks into the Slack environment, with sensitive data peppered throughout your ecosystem. With the ability to read messages, and access user data, third party integrations should only be authorised by an admin in the security team.

4. Adding external people into your environment

Working with contractors or freelancers via Slack is an easy way to keep in touch. But when a project ends, their access to your Slack environment should be withdrawn. Failure to do so results in individuals having access to your files and documents for longer than necessary, increasing the chances of data leakage.

5. System vulnerabilities

In 2022, it was revealed that Slack had leaked hashed passwords for five years, with 0.5% of Slack users having to change their passwords as a result. The platform itself is not infallible, and security teams should stay up to date with the latest news from Slack to ensure they're making the most of the security measures available to them.

Why should businesses pay attention? 

Organisations may see Slack as an integral tool for the business, and with millions of users worldwide, it's hard to argue otherwise. However, security teams must be sure to implement the necessary security measures to ensure data shared within Slack is only seen by authorised users.

Without a data security tool in place, it can be difficult for security professionals to understand who is sharing sensitive data, who has access to it, and where it lives. Having this visibility and control over data flow is vital to ensure data is protected from leaks or breaches, and the organisation is remaining compliant with industry regulations such as GDPR, and HIPAA.

Read more: Making Slack HIPAA Compliant: A Guide for Healthcare Organisations

Report: How bad can a Slack data breach get?

Did you know the average employee shares 600 pieces of Personal Identifiable Information in Slack, including:

- 478 email addresses

- 76 phone numbers

- 4 driving licenses

- 8 credit card numbers

- 2 dates of birth

Find how you can make Slack more compliant and avoid costly data breaches by downloading our Slack whitepaper.

Why is Slack worried?

The San Francisco-based company warned way back in April of 2019 that hackers gaining access to customers' Slack accounts would be a disaster. 

In its IPO filing, the firm wrote: "Users or organizations on Slack may also disclose or lose control of their API keys, secrets, or passwords.”

This "could lead to unauthorized access to their accounts and data within Slack,” the filing noted. "In addition, a breach of the security measures of one of our partners could result in the destruction, modification, or exfiltration of confidential corporate information, or other data that may provide additional avenues of attack."

Companies now have sensitive customer information, passwords, company credit cards and IP addresses floating around in Slack DMs and channels. Businesses simply can’t afford to take the risk of having this level and amount of sensitive information in Slack. 

How can Metomic make Slack secure for your business?

This is where Metomic comes into play. Our data security platform is capable of integrating with Slack and sweeping it extensively to pick up any valuable information that, in the hands of the wrong person, could jeopardise your company’s future.

We give you: 

  • Visibility over data shared within Slack including emails, social security numbers, passwords, and more, before classifying and securing it
  • Insights into who has access to your data, and where your data is flowing
  • The knowledge needed to adopt the right strategy in response

To find out more about how Metomic can secure your Slack application, book a personalised demo with one of our security experts today.