Security
May 9, 2023

Is Sensitive Data in Slack Secure for Business?

As easy-to-use and convenient as Slack is, it’s near-impossible to see or control what information is being shared across hundreds of channels.

Download PDF

When it first launched in 2013, Slack was branded as a friendly alternative to Microsoft’s team tools. Eight years on, it has become vital to the functioning of businesses across the world. 

Thanks to Slack, communication has become quicker, smoother and more streamlined, with companies becoming hugely dependent on the tool. This has led to huge productivity but businesses need to ensure that these do not come at the expense of data privacy and security.

What type of sensitive data is in Slack?

As easy-to-use and convenient as Slack is, it’s near-impossible to see or control what information is being shared across the plethora of channels every company has. This can include sensitive data such as email log-ins, Twitter or Facebook credentials, credit card details, API keys, personal addresses, and passwords to the various other platforms and tools used by businesses.

This sensitive data can be innocuously exchanged in a casual chat between two colleagues. Even worse, it can be dropped into a group channel where hundreds of others are able to see the information before sharing it. As employers, there’s no way of knowing how far this information is being disseminated internally and how compromising this data leakage may be. 

The situation has been exacerbated by the pandemic. Between 10 March 2020 and 25 March 2020, Slack’s concurrent users rose from 10 million to 12.5 million, widening the pool of data shared via the platform that is festering within each business.

Then there’s the data that can be drawn in from third-party services connected to the platform. Zapier is the key to this, acting as a cyber bridge between Slack and the various different apps companies use on a daily basis.

Is Slack secure?

As an invite-only platform, Slack may lead some users to assume that their workplace is secure - but this simply isn’t the case. In many ways, it holds the keys to a business’ kingdom, and once hackers find a way in, there’s the potential for trouble….

Why should I care?

With all this sensitive data circulating within Slack, your company is vulnerable - especially if hackers gain access to the platform. And with the vast majority of Slack channels public to all users, it only takes one breached account to open the floodgates.

Last year, analysis from the cybersecurity firm KELA showed that Slack credentials are abundant on hacking forums and the dark web. The company says it found more than 17,000 credentials - belonging to 12,000 different Slack workplaces - that had been offered for sale online via hacking forums and marketplaces like Genesis. 

Nor does Slack encrypt end-to-end communications — a soft spot that could, in theory, be exploited not just by hackers but third-party apps pulling data.

George Avetisov, chief executive officer of security company HYPR, said employee gossip makes Slack and other office chat programs an appealing target for hackers.

“Forget corporate espionage — workforce chat logs are often a treasure trove of embarrassment and blackmail,” he said. 

“Complaining about that demanding customer? Jealous about a co-worker’s new desk? These are seemingly harmless comments that a malicious third party could exploit if chat logs ever leaked.”

Why is Slack scared?

The San Francisco-based company warned way back in April of 2019 that hackers gaining access to customers' Slack accounts would be a disaster. 

In its IPO filing, the firm wrote: "Users or organizations on Slack may also disclose or lose control of their API keys, secrets, or passwords.”

This "could lead to unauthorized access to their accounts and data within Slack,” the filing noted. "In addition, a breach of the security measures of one of our partners could result in the destruction, modification, or exfiltration of confidential corporate information, or other data that may provide additional avenues of attack."

Companies now have sensitive customer information, passwords, company credit cards and IP addresses floating around in Slack DMs and channels. Businesses simply can’t afford to take the risk of having this level and amount of sensitive information in Slack. 

How Metomic can make Slack safe

This is where Metomic comes into play. Metomic's DLP software is capable of integrating with Slack and sweeping it extensively to pick up any valuable information that, in the hands of the wrong person, could jeopardise your company’s future.

Our ‘inspector’ tool drills down into the data shared on Slack (emails, social security numbers, passwords, credit card details and more) and lets you know what information is accessible via the platform before classifying it accordingly.

This provides a lay of the land for your company - in terms of where your data is flowing, who is sharing it, and which parts of the business are susceptible as a result - and equips you with the knowledge needed to adopt the right strategy in response.

Most importantly, however, Metomic’s zero-trust tech architecture enables it to do all of this without collecting or storing the data itself, eliminating your security risks without adding new ones.

With Metomic, business and security leaders can empower teams to drive productivity with Slack while automating data protection measures. This allows time to be saved on compliance and privacy, and instead diverted towards business growth.

Find how you can make Slack more compliant and avoid costly data breaches with our Slack whitepaper.

When it first launched in 2013, Slack was branded as a friendly alternative to Microsoft’s team tools. Eight years on, it has become vital to the functioning of businesses across the world. 

Thanks to Slack, communication has become quicker, smoother and more streamlined, with companies becoming hugely dependent on the tool. This has led to huge productivity but businesses need to ensure that these do not come at the expense of data privacy and security.

What type of sensitive data is in Slack?

As easy-to-use and convenient as Slack is, it’s near-impossible to see or control what information is being shared across the plethora of channels every company has. This can include sensitive data such as email log-ins, Twitter or Facebook credentials, credit card details, API keys, personal addresses, and passwords to the various other platforms and tools used by businesses.

This sensitive data can be innocuously exchanged in a casual chat between two colleagues. Even worse, it can be dropped into a group channel where hundreds of others are able to see the information before sharing it. As employers, there’s no way of knowing how far this information is being disseminated internally and how compromising this data leakage may be. 

The situation has been exacerbated by the pandemic. Between 10 March 2020 and 25 March 2020, Slack’s concurrent users rose from 10 million to 12.5 million, widening the pool of data shared via the platform that is festering within each business.

Then there’s the data that can be drawn in from third-party services connected to the platform. Zapier is the key to this, acting as a cyber bridge between Slack and the various different apps companies use on a daily basis.

Is Slack secure?

As an invite-only platform, Slack may lead some users to assume that their workplace is secure - but this simply isn’t the case. In many ways, it holds the keys to a business’ kingdom, and once hackers find a way in, there’s the potential for trouble….

Why should I care?

With all this sensitive data circulating within Slack, your company is vulnerable - especially if hackers gain access to the platform. And with the vast majority of Slack channels public to all users, it only takes one breached account to open the floodgates.

Last year, analysis from the cybersecurity firm KELA showed that Slack credentials are abundant on hacking forums and the dark web. The company says it found more than 17,000 credentials - belonging to 12,000 different Slack workplaces - that had been offered for sale online via hacking forums and marketplaces like Genesis. 

Nor does Slack encrypt end-to-end communications — a soft spot that could, in theory, be exploited not just by hackers but third-party apps pulling data.

George Avetisov, chief executive officer of security company HYPR, said employee gossip makes Slack and other office chat programs an appealing target for hackers.

“Forget corporate espionage — workforce chat logs are often a treasure trove of embarrassment and blackmail,” he said. 

“Complaining about that demanding customer? Jealous about a co-worker’s new desk? These are seemingly harmless comments that a malicious third party could exploit if chat logs ever leaked.”

Why is Slack scared?

The San Francisco-based company warned way back in April of 2019 that hackers gaining access to customers' Slack accounts would be a disaster. 

In its IPO filing, the firm wrote: "Users or organizations on Slack may also disclose or lose control of their API keys, secrets, or passwords.”

This "could lead to unauthorized access to their accounts and data within Slack,” the filing noted. "In addition, a breach of the security measures of one of our partners could result in the destruction, modification, or exfiltration of confidential corporate information, or other data that may provide additional avenues of attack."

Companies now have sensitive customer information, passwords, company credit cards and IP addresses floating around in Slack DMs and channels. Businesses simply can’t afford to take the risk of having this level and amount of sensitive information in Slack. 

How Metomic can make Slack safe

This is where Metomic comes into play. Metomic's DLP software is capable of integrating with Slack and sweeping it extensively to pick up any valuable information that, in the hands of the wrong person, could jeopardise your company’s future.

Our ‘inspector’ tool drills down into the data shared on Slack (emails, social security numbers, passwords, credit card details and more) and lets you know what information is accessible via the platform before classifying it accordingly.

This provides a lay of the land for your company - in terms of where your data is flowing, who is sharing it, and which parts of the business are susceptible as a result - and equips you with the knowledge needed to adopt the right strategy in response.

Most importantly, however, Metomic’s zero-trust tech architecture enables it to do all of this without collecting or storing the data itself, eliminating your security risks without adding new ones.

With Metomic, business and security leaders can empower teams to drive productivity with Slack while automating data protection measures. This allows time to be saved on compliance and privacy, and instead diverted towards business growth.

Find how you can make Slack more compliant and avoid costly data breaches with our Slack whitepaper.

Download the PDF: