How the Twitter hack highlights the dangers of Slack
Slack holds the keys to its customers' kingdoms, and has long been aware how problematic that is. Twitter, it seems, may have been considerably less aware.
Wednesday's massive Twitter hack forced the company to lock out its own users, temporarily, in a desperately bid to stop the ongoing bleeding. And while it has yet to be confirmed, the New York Timesreported Friday that the hacker was was able to access Twitter internal systems after first gaining entry into Twitter's Slack account — where, allegedly, he found unspecified "Twitter credentials" that "gave him access to the company servers."
If that turns out to be accurate, then all someone had to do to facilitate the takeover of more than 130 high-profile Twitter accounts and temporarily bring the social media platform to its knees was gain entry to the colorful chatroom where employees' share GIFs and chat about the workday. And while this obviously came as a surprise to Twitter, it likely didn't shock Slack.
The San Francisco-based company warned way back in April of 2019 that hackers gaining access to customers' Slack accounts would be a disaster.
At the time, Slack was preparing to go public. That required it to list possible "risk factors" the company (and the value of its stock) could face in the years to come. One of those risk factors? You guessed it: Hackers getting access to customer Slack accounts, and all the fallout that could result.
"Users or organizations on Slack may also disclose or lose control of their API keys, secrets, or passwords," noted the company. This "could lead to unauthorized access to their accounts and data within Slack (arising from, for example, an independent third-party data security incident that compromises those API keys, secrets, or passwords).
"In addition, a breach of the security measures of one of our partners could result in the destruction, modification, or exfiltration of confidential corporate information, or other data that may provide additional avenues of attack."
In other words, if hackers got access to a company's Slack account, they might be able to leverage the data found there — say, for example, login credentials to Twitter's admin panel — for additional mischief.
Tweet may have been deleted
We reached out to Slack in an attempt to confirm the New York Times' reporting, but received no immediate response. We also asked Twitter whether or not it kept internal login credentials posted in its Slack channel, but did not receive a direct response. Instead, we were pointed to a @TwitterSupport thread where the company has been disclosing information about the breach of its systems.
Employees leaking internal chats have long been the bane of tech and media companies that rely on Slack for everyday business. It should come as no surprise that when an entire company speaks via one digital tool, and every thought and message shared over that tool is recorded for posterity, then leaks have the potential to cause real damage.
And as Twitter discovered this week, leaks aren't the only thing it needs to worry about when it comes to Slack.
UPDATE: July 19, 2020, 9:46 a.m. PDT: A Slack spokesperson responded to our request for comment, and emphasized that social engineering — where someone (or multiple people) is tricked into divulging passwords or other valuable information — appears to be the issue here.
Slack's security and the integrity of our platform were not compromised in any way. As Twitter has said, they believe this attack was accomplished through social engineering by people who successfully targeted some of their employees with access to internal systems and tools. Social engineering tactics, such as phishing schemes, are often used by attackers to obtain valid credentials or other personal information.
This, of course, does not change the fact that plaintext data shared on Slack — if viewed by the wrong person — could be a company's Achilles' heel. As always, it pays to watch what you post.
Related Video: It's surprisingly easy to be more secure online
-
Naver, Kakao strive to combat deepfake porn spreading onlineCOVAX allocates 1.29 million additional COVIDJ.K. Rowling and Ricky Gervais join forces to shut down Donald Trump广东福彩乡村暖心行走进茂名,为信宜窦州墟增光添彩21 College and University MuseumsNot cut out for this! Gladbach crash in front of 13,000 'cardboard fans'英德:小特产奋进百亿大产业广东林业产业总产值预计超8700亿!高燃!哨响表停赛不止,2024广东“村BA”开赛在即,一分钟带你重温高光瞬间。The Thursday Slatest newsletter.
- ·Flying spaghetti monster and unworldly life filmed in deep sea footage
- ·Surface Laptop lets you restore back to Windows 10 S if you suddenly decide you hate apps
- ·Why conservatives won't run a third
- ·Seth Stevenson on covering the Bernie Sanders and Donald Trump campaigns.
- ·Apple to start manufacturing iPhone Pro in India, report claims
- ·英德:小特产奋进百亿大产业
- ·医疗卫生惠及城乡居民
- ·医疗卫生惠及城乡居民
- ·Apple Intelligence is now a little easier to get outside the U.S.
- ·Surface Laptop lets you restore back to Windows 10 S if you suddenly decide you hate apps
- ·医疗卫生惠及城乡居民
- ·Watch Obama reminisce about the time he got kicked out of Disneyland
- ·LG Display starts production of advanced OLED displays for gaming
- ·为雅安经济社会发展 提供更加有力的保障
- ·Denver International Airport ~knows~ about the conspiracy theories and is trolling us all
- ·召之即来 来之能战 战之能胜
- ·Sports minister says audits into football, badminton federations set to conclude in Sept.
- ·US condemns NK missile launch, reaffirms commitment to dialogue
- ·Apple's iPhone XS will be historic, but not for the reason you think
- ·Pizza shop serves Donald Trump up a delicious border wall take down
- ·Scientists discover where the huge dinosaur
- ·Bumble launches digital snooze button that lets you take a mental health break
- ·Priorities USA releases new anti
- ·市区近百名志愿者集体无偿献血
- ·Smiley face on Mars is a telltale sign of its past
- ·Diane Keaton's Instagram account is a national treasure
- ·Wordle today: The answer and hints for August 27
- ·North Korean leader visits mausoleum of grandfather, father to mark new year
- ·Korea Foundation to kick off second ‘Public Diplomacy Week’
- ·US condemns NK missile launch, reaffirms commitment to dialogue
- ·N. Korea test
- ·Google Home teams up with UK retailer for voice shopping service
- ·North Korea's Kim at critical crossroads decade into rule
- ·Spokeo v. Robins spares class actions and consumer privacy.
- ·Get Thee to Totality: Chicago
- ·医疗卫生惠及城乡居民