Slack holds the keys to its customers’ kingdoms, and has long been aware how problematic that is. Twitter, it seems, may have been considerably less aware.
Wednesday’s massive Twitter hack forced the company to lock out its own users, temporarily, in a desperately bid to stop the ongoing bleeding. And while it has yet to be confirmed, the New York Times reported Friday that the hacker was was able to access to Twitter internal systems after first gaining entry into Twitter’s Slack account — where, allegedly, he found unspecified “Twitter credentials” that “gave him access to the company servers.”
If that turns out to be accurate, then all someone had to do to facilitate the takeover of more than 130 high-profile Twitter accounts and temporarily bring the social media platform to its knees was gain entry to the colorful chatroom where employees’ share GIFs and chat about the workday. And while this obviously came as a surprise to Twitter, it likely didn’t shock Slack.
The San Francisco-based company warned way back in April of 2019 that hackers gaining access to customers’ Slack accounts would be a disaster.
At the time, Slack was preparing to go public. That required it to list possible “risk factors” the company (and the value of its stock) could face in the years to come. One of those risk factors? You guessed it: Hackers getting access to customer Slack accounts, and all the fallout that could result.
“Users or organizations on Slack may also disclose or lose control of their API keys, secrets, or passwords,” noted the company. This “could lead to unauthorized access to their accounts and data within Slack (arising from, for example, an independent third-party data security incident that compromises those API keys, secrets, or passwords).
“In addition, a breach of the security measures of one of our partners could result in the destruction, modification, or exfiltration of confidential corporate information, or other data that may provide additional avenues of attack.”
In other words, if hackers got access to a company’s Slack account, they might be able to leverage the data found there — say, for example, login credentials to Twitter’s admin panel — for additional mischief.
This is the advertisement when the access was granted on OG Forums yesterday. There are multiple forums where your personal information is sold or accounts can be hacked on Demand. The highest price is sold for lawyer and health professionals which can go up to $2000 pic.twitter.com/KN340mQygn
— Haseeb Awan (@haseeb) July 16, 2020
We reached out to Slack in an attempt to confirm the New York Times‘ reporting, but received no immediate response. We also asked Twitter whether or not it kept internal login credentials posted in its Slack channel, but did not receive a direct response. Instead, we were pointed to a @TwitterSupport thread where the company has been disclosing information about the breach of its systems.
Employees leaking internal chats have long been the bane of tech and media companies that rely on Slack for everyday business. It should come as no surprise that when an entire company speaks via one digital tool, and every thought and message shared over that tool is recorded for posterity, then leaks have the potential to cause real damage.
And as Twitter discovered this week, leaks aren’t the only thing it needs to worry about when it comes to Slack.