Slack suffers GitHub repository breach

Target Industry

No specific industry is known to be a target. Further breaches will likely be opportunistic in nature.

Overview

Severity level: Medium – Compromise has the potential to affect customer data, however, no instance of Slack customer breach has been disclosed.

On 31st December 2022, Slack announced that it had become the victim of a security breach affecting their GitHub-hosted code repositories. The reported incident initially occurred a few days prior, on 27th December, by an unknown threat actor.

Slack reported that the threat actor targeted and stole several Slack employee tokens, which were then used to access the GitHub code repository. Despite this breach, Slack maintains that neither customer data nor Slack’s primary codebase was affected. However, due to the recency of the attack, further investigation is likely required.

Since the attack, all stolen Slack GitHub tokens and related credentials have been reset as a security precaution to inhibit further potential exploitation.

While no customer data appears to have been breached by this particular attack, previous experience of similar attacks such as the LastPass breach in August 2022 suggests that stolen code could potentially be used to assist future attacks.

Impact

Successful retrieval of Slack code repository may result in the loss of sensitive system documentation, notes and tracked changes to web pages.

Vulnerability Detection

No vulnerability is known to be connected with this data breach.

Affected Products

Slack’s GitHub code repository.

Containment, Mitigations & Remediations

Slack has reported that no customer action is required. However, as a precaution, it is recommended that customers using Slack reset their login details, in case of unforeseen stolen credentials.

Additionally, it is strongly advised that customers implement multi-factor authentication (MFA) to Slack accounts. MFA was added to Slack in 2015 after a large-scale data breach. MFA is a cost-effective and simple, yet effective means to provide online systems with an additional layer of security.

Indicators of Compromise

No IOCs.

Threat Landscape

Slack is the leading platform for business collaboration with over 10 million active daily users. The popularity of the platform has almost certainly resulted in it being a preferred target for malicious threat actors seeking to exploit accounts with limited security.

In 2015 Slack suffered a data breach affecting a large volume of their customers. This data included email addresses, usernames, passwords, telephone numbers, and in some instances, Skype IDs. In 2019 it was discovered that some of these stolen credentials had been involved in recent attacks, resulting in password resets for many of those accounts affected by the 2015 compromise. However, these resets only accounted for approximately 1% of the customer base as certain criteria had to be met. Therefore, it is a realistic possibility that stolen credentials from the 2015 attack were used in this latest incident.

Threat Group

Perpetrating threat actors have yet to be identified.

Mitre Methodologies

T1133 – External Remote Services
Realistic possibility: T1078 – Valid Accounts
Realistic possibility: T1003 – OS Credential Dumping

Intended Impact: Unknown.

Further Information

Security Week – Slack data breach
Bleeping Computer– Slack data breach