How the Twitter hack highlights the dangers of Slack

Slack holds the keys to its customers' kingdoms, and has long been aware how problematic that is. Twitter, it seems, may have been considerably less aware.

Wednesday's massive Twitter hack forced the company to lock out its own users, temporarily, in a desperately bid to stop the ongoing bleeding. And while it has yet to be confirmed, the New York Timesreported Friday that the hacker was was able to access Twitter internal systems after first gaining entry into Twitter's Slack account — where, allegedly, he found unspecified "Twitter credentials" that "gave him access to the company servers."

If that turns out to be accurate, then all someone had to do to facilitate the takeover of more than 130 high-profile Twitter accounts and temporarily bring the social media platform to its knees was gain entry to the colorful chatroom where employees' share GIFs and chat about the workday. And while this obviously came as a surprise to Twitter, it likely didn't shock Slack.

The San Francisco-based company warned way back in April of 2019 that hackers gaining access to customers' Slack accounts would be a disaster.

At the time, Slack was preparing to go public. That required it to list possible "risk factors" the company (and the value of its stock) could face in the years to come. One of those risk factors? You guessed it: Hackers getting access to customer Slack accounts, and all the fallout that could result.

"Users or organizations on Slack may also disclose or lose control of their API keys, secrets, or passwords," noted the company. This "could lead to unauthorized access to their accounts and data within Slack (arising from, for example, an independent third-party data security incident that compromises those API keys, secrets, or passwords).

"In addition, a breach of the security measures of one of our partners could result in the destruction, modification, or exfiltration of confidential corporate information, or other data that may provide additional avenues of attack."

In other words, if hackers got access to a company's Slack account, they might be able to leverage the data found there — say, for example, login credentials to Twitter's admin panel — for additional mischief.

This Tweet is currently unavailable. It might be loading or has been removed.

We reached out to Slack in an attempt to confirm the New York Times' reporting, but received no immediate response. We also asked Twitter whether or not it kept internal login credentials posted in its Slack channel, but did not receive a direct response. Instead, we were pointed to a @TwitterSupport thread where the company has been disclosing information about the breach of its systems.

Employees leaking internal chats have long been the bane of tech and media companies that rely on Slack for everyday business. It should come as no surprise that when an entire company speaks via one digital tool, and every thought and message shared over that tool is recorded for posterity, then leaks have the potential to cause real damage.

And as Twitter discovered this week, leaks aren't the only thing it needs to worry about when it comes to Slack.

UPDATE: July 19, 2020, 9:46 a.m. PDT: A Slack spokesperson responded to our request for comment, and emphasized that social engineering — where someone (or multiple people) is tricked into divulging passwords or other valuable information — appears to be the issue here.

Slack's security and the integrity of our platform were not compromised in any way. As Twitter has said, they believe this attack was accomplished through social engineering by people who successfully targeted some of their employees with access to internal systems and tools. Social engineering tactics, such as phishing schemes, are often used by attackers to obtain valid credentials or other personal information.

This, of course, does not change the fact that plaintext data shared on Slack — if viewed by the wrong person — could be a company's Achilles' heel. As always, it pays to watch what you post.

Related Video: It's surprisingly easy to be more secure online