Slack’s GitHub Code Repositories stolen

Slack is a messaging platform businesses and organizations worldwide use to collaborate. It allows teams to communicate, collaborate, and share files and information in real time. Salesforce owns it and it has an estimated 18 million users.

Recently, Slack suffered a security incident that affected some of its private GitHub code repositories. Still, the incident was likely severe enough to prompt Slack to take action and investigate.

The impact of this incident on Slack’s users is not yet known. Still, it could potentially affect the security and privacy of their data. Slack should fix this problem and ensure similar incidents don’t occur again. To protect yourself, you should be vigilant and protect your data and accounts.

Customer data is safe.

In this incident, threat actors were able to gain access to Slack’s GitHub repositories. These repositories are hosted externally (not on Slack’s servers). The access was gained using a small number of Slack employee tokens that had been stolen. It is unclear how the incident took place or who was responsible for them.

Slack has stated that its primary codebase and customer data were not affected despite the breach. This suggests that the threat actors were unable to access sensitive information or make changes to the company’s main systems.
The incident was publicly disclosed on New Year’s Eve. Slack released a notice outlining the details of the breach. Slack also outlined the measures the company was taking to prevent similar incidents in the future.

The Slack Notification

“On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27. No downloaded repositories contained customer data, means to access customer data or Slack’s primary codebase.”

What slack has to say?

Recently, the company announced that some of its user tokens had been stolen by hackers. Tokens are key to authenticate users and grant them access to the platform. In response to the breach, Slack has invalidated the stolen tokens. It means they can no longer be instrumental to access the platform.

The company is also investigating the potential impact of the hack on its customers. As there is currently no evidence that the hackers were able to access sensitive areas of Slack’s environment, Slack has rotated relevant secrets. This means the company has changed certain access codes and keys to prevent further unauthorized access.
Slack’s security team said the hack did not result from a vulnerability within the platform itself. However, it seems as though the hackers were able to gain access through other means, such as phishing attacks or other forms of cyber espionage. The company continues to investigate the breach and will monitor for further exposure.

The hype

The statement that Slack takes “security, privacy, and transparency very seriously” in the security update seems to be at odds with certain aspects of the update’s distribution and visibility. Firstly, the company’s international news blog did not publish the update alongside other articles. It could make it more difficult for users to find and access the information. This is against the idea of transparency. The update is not as easily accessible as other news and updates on the company’s blog.

Additionally, the update is mark with ‘noindex’ in some regions. Search engines exclude it from search results and it may be harder to discover. One of the main purposes of the update is to improve security and privacy. Yet, the update itself is not easy to locate or access. These issues could raise questions about Slack’s commitment to security, privacy, and transparency. The update seems somewhat hidden or obscure in certain regions.

What experts noticed?

Experts further noticed that the “meta” tag containing the “noindex” attribute was not easily visible in the HTML code of a webpage. This tag, typically is at the top of a page. But it was put towards the bottom of the code. It was on a single, elongated line that overflowed without breaking. This means that someone viewing the source code of the webpage would not immediately see the “noindex” tag unless they actively searched for it using the Ctrl+F function. The placement of this tag in the HTML code suggests that the author intentionally hid it from view. It is like a boon for nefarious purposes. Whether it is manipulating search engine rankings or not revealing certain content for indexing by search engines.