Unpacking the Recent Slack Data Security Breach

Slack has recently found itself at the center of high-profile AI-related data breaches. As cybersecurity threats escalate, Slack’s role has evolved, transforming from a mere internal communication tool into a digital “water cooler”, hosting everything from work discussions to casual conversations. These recent incidents underscore Slack’s pervasive nature in today’s corporate landscape. 

Slack’s influence still remains undeniable, however. According to DemandSage, Slack has 38 million daily users, 65 million monthly users, and 200,000 paid subscribers across 700,000 enterprises—including 77% of Fortune 100 companies. Let’s examine these recent data breaches and explore crucial recommendations for safeguarding our day-to-day conversations.

Water Cooler Leaks

AI’s capabilities are revolutionizing the tech industry, enhancing all aspects of business day-to-day operations. 

While this includes cybersecurity improvements, AI is also destabilizing cybersecurity practices. It serves both as a tool to boost attacks and as a target for breaches. The incidents described below put Slack in the crossfire of these high-profile, AI-related leaks.

Disney Leak

In July, a hacktivist group called NullBulge leaked 1.1 terabytes of internal Disney Slack communications. The group, which claims to advocate for artists’ rights and fair compensation, claimed that “Disney was our target due to its handling of artist contracts, its approach to AI, and its blatant disregard for consumers”. 

The group released the data because they did not believe Disney would meet their demands to stop using AI, according to WSJ. The leak revealed material related to marketing campaigns, candidate interviews, tech stack, and of course, a lot of conversations about pets.

Nvidia Training Data Leak

In August, tech giant Nvidia faced its own Slack-related scandal. Internal Slack chats, emails, and documents obtained by 404Media revealed that Nvidia had scraped videos from YouTube and other sources to compile training data for its AI products, raising ethical questions about data usage and consent.

The Encryption Conundrum

Despite its widespread use, Slack lacks end-to-end encryption, which is a feature that many privacy advocates consider essential for secure communication. In 2018, Slack’s chief information security officer stated that paying customers were more interested in enterprise key management than end-to-end encryption. 

This stance reflects Slack’s positioning as a team communication tool where monitoring for productivity is a feature, rather than a private messaging application where end-to-end encryption is more valuable.

Despite the above, last year, the digital rights group Fight for the Future launched a campaign calling for Slack to implement end-to-end encryption by default. Their effort, named Make Slack Safe, was supported by over 90 companies in a public letter. It also highlighted concerns about the platform’s inability to block users in cases of harassment.

Navigating Slack Securely

In light of these challenges, organizations and individuals can take several steps to mitigate risks when using Slack in day-to-day communications, thereby avoiding becoming the weakest link in a cybersecurity threat.

Recommendations

• Protect Sensitive Information: Never share passwords, Personally Identifiable Information (PII), Payment Card Industry (PCI) data, Protected Health Information (PHI), or Intellectual Property (IP) in plain text. Utilize secure password management solutions.
• Mindful Screenshot Sharing: When sharing screenshots, capture only the relevant portions and provide context through detailed descriptions. Either that or obscure sensitive information caught in it. For more comprehensive discussions, use huddles for screen-sharing sessions to secure communication.
• Leverage Secure Internal Communication Tools: Use dedicated secure ticketing systems or knowledge bases for debugging, knowledge transfer, and sharing sensitive information, rather than leaving that information on Slack. The cybersecurity practice should have placed those behind VPN access, making it harder for bad actors to gain access to them.
• Implement Code Names: Employ non-descriptive channel names and code names for teams to limit exposure to sensitive information. When detailed information is necessary, leverage secure internal communication tools as described above. As an example, A channel/team named “The Chimichangas” with a link to a knowledge base article about the channel objectives/team responsibilities would be better than a descriptive one that reveals sensitive information like the technology stack or the team’s goals.
• Delete Messages: Actually deleting a message makes it unavailable in a future breach scenario, which isn’t encouraging. But if you happen to share some sensitive information by mistake, just delete it.

Final Thoughts 

As Slack continues to dominate workplace communication, organizations must balance the platform’s convenience with robust security measures. 

In an era where digital water coolers have become central to our work lives, the responsibility for securing our conversations falls on both platform providers and users alike. As we navigate this complex landscape, staying informed and proactive about digital security has never been more critical.

If you’re looking to enhance your security awareness within the Salesforce Ecosystem, there are several valuable resources available:

• Salesforce Security Best Practices: This offers a lot of resources to go through.
• Bug Catcher Games: Try it for a more interactive approach, featuring three hands-on games designed to elevate your security skills.
• Building Security Expertise: Dive into this Salesforce Trailhead Trailmix to elevate your security expertise.
• Cybersecurity Trailblazers Community: Join this group to connect with like-minded cybersecurity professionals.

If you have other recommendations or comments to share regarding security within Slack, make sure you leave them in the comments below!