What is your slack cybersecurity strategy for 2022? As many companies delay a return to the office, this can be a good time to consider the risk of using such a powerful tool for collaboration.
Especially because most of us want to believe it is true.
If someone is in your organization's Slack channel, then they are authenticated and the environment is secure.
Many organizations using Slack operate with this mindset, and most end-users certainly do.
However, two significant data breaches may have you taking another look at your policies or procedures when it comes to your Slack channel.
Electronic Arts hacked through Slack channel
A group of hackers recently stole a trove of data from videogame maker Electronic Arts (EA).
The group was able to steal the source code for FIFA 21 and the source code for the Frostbite engine that powers other popular games, such as Battlefield. In total, the hackers claim to have 780 GB of data and are currently attempting to sell it on the Dark Web.
The group was able to steal the data after socially engineering an EA employee to provide login credentials over a Slack channel.
Here is how they were able to accomplish this, according to Motherboard:
"A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10 and using those to gain access to a Slack channel used by EA. Cookies can save the login details of particular users, and potentially let hackers log into services as that person. In this case, the hackers were able to get into EA's Slack using the stolen cookie.
The hackers then requested a multifactor authentication token from EA IT support to gain access to EA's corporate network. The representative said this was successful two times.
Once inside EA's network, the hackers found a service for EA developers for compiling games. They successfully logged in and created a virtual machine giving them more visibility into the network, and then accessed one more service and downloaded game source code."
EA has confirmed the recent incident and added that "no player data was accessed, and we have no reason to believe there is any risk to player privacy."
Twitter hacked through Slack channel
You might remember an interesting time on Twitter about a year ago when a number of high profile people like Barack Obama, Elon Musk, Kanye West, Bill Gates, and others had their Twitter accounts hacked.
Twitter has said that a young group of inexperienced hackers were able to manipulate a small number of employees to gain credentials to access the company's internal systems.
[RELATED: Famous Twitter Accounts Hacked: Insider Threat or Social Engineering Attack?]
According to Decrypt, here is how it happened:
"Speaking to the Times, the juvenile hackers explained how they managed to hijack Twitter's servers via information left on Twitter's internal Slack channel—presumably after being granted access by an unwitting employee.
Twitter's internal investigators corroborated the hackers' story, reports the Times, noting that it was 'consistent with what they had learned so far.'"
While it might be somewhat common for employees to leave valuable information on a Slack channel, Slack has warned about this specific risk before, saying it could be a "disaster."
Mashable describes Slack's warning below:
"At the time, Slack was preparing to go public. That required it to list possible 'risk factors' the company (and the value of its stock) could face in the years to come. One of those risk factors? You guessed it: Hackers getting access to customer Slack accounts, and all the fallout that could result.
'Users or organizations on Slack may also disclose or lose control of their API keys, secrets, or passwords,' noted the company. This 'could lead to unauthorized access to their accounts and data within Slack (arising from, for example, an independent third-party data security incident that compromises those API keys, secrets, or passwords)."
The Twitter hack and recent EA breach are excellent reminders to review your policies and security awareness training related to your Slack channel.
If not, cybercriminals may have an easier time taking advantage of your corporate collaboration.
