Before we dive in, let’s get one thing straight - Slack is great for business.

There’s a reason Slack is known as the software you never close.

It enables real-time collaboration, supports asynchronous work, centralizes notifications, and – perhaps most importantly – helps build company culture, even across time zones.

But let’s be real - we all use Slack in ways we probably shouldn’t.

Think about it: When was the last time someone sent you new credentials in plain text over Slack? An API key? A financial document? A PDF littered with personally identifiable information (PII)?

Chances are, you’ve seen this happen more often than you’d likely care to admit - which is exactly why Slack is a bigger security risk than most people realize.

Let’s dive into why Slack poses security challenges, and more importantly, how you can make it safer for your organization.

History

Before we jump into the nitty gritty, it’s important to understand the real-world consequences of Slack security incidents.

Major organizations have had their Slack instances compromised in different ways, and each case highlights a unique risk that comes with using the platform.

Let’s take a look at a few high-profile breaches and what we can learn from them.

Disney

In September 2024, The Walt Disney Company announced it was dropping Slack for internal communications in favor of Microsoft Teams.

This decision followed a massive data breach a few months prior in July after a hacker group gained access to a Disney employee’s personal laptop, allegedly via malware.

While there’s speculation as to whether this was a move to cut costs or to shift blame, we can take a look at what we do know and come to our own consensus.

The group was able to scrape all the sensitive data the employee could access inside their Slack instance, including 10,000+ channels and 13,000+ documents.

The full impact of the breach still remains unclear, but one thing is certain: human error played a significant role.

The hacker group even later hinted at a potentially malicious insider, posting:

“We tried to hold off until we got deeper in, but our inside man got cold feet and kicked us out!”.

Seemingly in response to the break, Slack released a blog post emphasizing:

“Cybersecurity is a shared responsibility.”

This statement underscores an important point, one that remains true for nearly all SaaS platforms.

Slack operates on a shared security model. While the platform itself has its own security controls, it’s only as secure as the people and policies within the organization.

Ultimately, Disney’s breach wasn’t due to a fundamental flaw in Slack’s product, rather a result of how sensitive data was shared carelessly through the platform.

Uber

In September 2022, Uber employees woke up to a shocking message in their #general Slack channel - that a user had hacked the company.

What was initially thought to be a joke proved to be their worst nightmare.

Forensic analysis later revealed that the attacker had purchased stolen credentials from the dark web and social-engineered their way into Uber’s systems leveraging an MFA fatigue attack - a method where a victim is bombarded with push notifications until they finally approve one out of frustration or mistake.

Once inside, the attacker escalated their access, stealing administrator credentials across multiple platforms, including Google Workspace, AWS, OneLogin, and HackerOne.

Uber’s breach wasn’t just about Slack, it was a failure in multiple areas: Lack of monitoring, weak MFA protections, and ease of escalation.

The attack cost the company an estimated $3 million in downtime and recovery efforts.

EA Games

In the summer of 2021, an employee of Electronic Arts (EA Games) fell victim to a social engineering attack that led to the exfiltration of source code for FIFA 21 and the Frostbite game engine.

The hackers reportedly gained access after purchasing stolen cookies online, using them to gain access to an EA Slack channel.

Once inside, they posed as an employee and socially engineered a member of IT Support, claiming they had lost their phone at a party and needed to reset their MFA.

With the MFA linked to their own device, they had the keys to the kingdom, exfiltrating 780GB of source code.

The hackers attempted to both sell the source code online and extort EA for ransom in exchange for keeping the data private. EA refused and instead the hackers leaked the stolen code on a hacker forum.

- Today’s Sponsor -

Navigating personal digital security can feel overwhelming. SecuriBeat makes it easy by breaking down complex security practices into simple, actionable steps so you can build confidence in your cybersecurtiy decisions. Use the Security Dashboard to visualize your footprint over 15+ categories, understand your risk level, and track your progress over time. Take control of your digital footprint today.

Learn More

Risks

The Disney, Uber, and EA Games scenarios highlight different attack vectors, but all expose a common theme: Slack is a high-risk data repository.

So, if a malicious actor gains access to your Slack environment - what can they steal? What damage can they do?

API Keys/Credentials

If you’re responsible for issuing API keys or credentials, I’d hope you already understand the sensitivity and risk. But are these keys and creds being shared securely?

Exposed credentials can provide attackers with direct access to critical systems, sensitive data, and even full administrative control.

Sharing these credentials over Slack could turn a breach into a company-wide compromise.

Instead of sharing credentials over Slack, try using a secure password vault, or better yet, eliminate the need completely by leveraging SSO.

Slack isn’t built for secure credential management. If it’s in Slack, assume it’s compromised.

Sensitive Documents

Sharing sensitive documents over Slack is downright reckless.

DMs and private channels give a false sense of security - it’s just one malicious insider, compromised account, or misconfiguration away from a breach.

Instead, use secure file sharing platforms (Google Drive, OneDrive, Dropbox) or SSO-protected storage.

Slack isn’t a document vault - treat it like a public bulletin board.

Content

Slack integrations bring a level of convenience, but also risk.

Having all your monitoring tools in one place is great, but what data are you exposing and who can see it?

I’m not saying stop - I’m just asking you to consider the sensitivity of the alerts.

It’s also important to think about knowledge drift. As your company scales, so does Slack. Old channels linger, access controls fade, and forgotten integrations and content remain.

Regularly audit channels and integrations. Decommission what’s no longer needed.

Use Slack to enhance visibility, not increase attack surface.

Overly Permissive Actions

Slash commands make our lives easier - but at what cost?

That simple /meet command brings a level of convenience, but it’s backed by an API key. Are the permissions scoped correctly with the least amount of necessary permissions?

Follow the principle of least privilege when scoping your API Keys. Periodically review and restrict scopes.

Every shortcut comes with potential trade-offs. Make sure yours are worth it.

Social Engineering

The biggest security risk in Slack isn’t a misconfiguration - it’s people.

If an attacker gets into your Slack instance, social engineering is likely their first move.

Impersonating a trusted college is easy in a chat-based environment - we saw it on full display with the EA Games breach.

Be skeptical by default. If something feels phishy, suggest a quick Zoom call or another form of verification.

When in doubt, verify. A little caution can stop a massive breach.

How to Make Slack Better (From a Security Perspective)

Slack is an incredibly valuable tool for businesses.

But it’s not without its security challenges.

Fortunately, there are ways to mitigate those risks and use Slack more securely.

Educate

Cybersecurity always starts with education.

Work is for work, personal is for personal.

Make it cultural for your employees to understand their work machines are for work, and their personal machines for personal use - don’t intermingle the two.

Educate your employees on the dangers that arise from sharing sensitive data in plaintext over Slack.

Offer solutions, such as password managers and secure file sharing options, that make it frictionless to engage in secure practices. Employees are more likely to push back if it completely interrupts their workflow.

Lastly, educate on the various popular attack vectors. By training staff to recognize potential threats, you empower them to stop an attack in its tracks before it escalates.

Set Slack Messages to Delete

Slack’s free plan will automatically do this for you - after a year, they’re gone.

But for those using paid plans, you’ll need to configure your retention settings manually.

Discuss with your organization what retention policy best fits your needs.

Audit Logs

Given the sensitive data that will undoubtedly be passing through Slack, it’s essential to keep track of what’s happening inside the platform.

Whether you like it or not, no matter how much training or education you provide - sensitive data will be shared.

To be up front, this is NOT a sponsored article - but Slack provides comprehensive audit logging on their Enterprise Grid product.

While it’s certainly pricier than their Business+ $15/user per month, it may be worth splurging for those extra audit logs to prevent or quickly respond to potential security breaches that could otherwise cause significant damage.

Set Up Detections

Audit logs are only valuable if you make them actionable.

Ingest your logs to a SIEM. Set up and continuously tune your detections to match your environment specific needs.

By proactively monitoring, you can catch problems before they escalate into bigger threats.

You Can Make Slack Secure

Don’t get me wrong - I love Slack and have been using it for years.

But from a security perspective, there’s so much that can go wrong.

I do wish Slack would offer their full audit logging features a lower tier than enterprise - it would enable organizations to better monitor the platform and gain peace of mind knowing their business critical information is being protected.

That being said, from a business perspective - I get it.

While it’s clear that these Slack attacks aren’t necessarily the fault of Slack themselves, it’s important as Security Professionals to foster safe use of the platform in our organizations.

Security is a shared responsibility. It starts with you and your people. They need to understand the risks associated with Slack, how to use it safely, and why internal security is so important.

Securely Yours,

The Cybersec Cafe

Just a heads up, The Cybersec Cafe's got a pretty cool weekly cadence.

Every week, expect to dive into the hacker’s mindset in our Methodology Walkthroughs or explore Deep Dive articles on various cybersecurity topics.

. . .

Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X or my Website. Can't wait to keep sharing and learning together!