Slack’s Github Code Stolen During Breach

Tyler Cross
Tyler Cross Senior Writer
Tyler Cross Tyler Cross Senior Writer

Popular online chat company Slack announced last week that it was the victim of a data breach, which resulted in several employee tokens being stolen. Though there was only a limited amount of tokens taken, threat actors were able to misuse them to steal some of Slack’s private Github code repositories on Dec 27.

Slack also suffered a breach in August and in 2019, and passwords had to be reset for users due to the scope of the breach. However, this breach didn’t affect customer data and customers don’t have to take any action.

“While some of Slack’s private code repositories were breached, Slack’s primary codebase and customer data remain unaffected,” the company said in a statement. “No downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase.”

Slack took immediate response by launching their company’s investigation and by invalidating the employee tokens, therefore restricting access from the actors.

The press release revealed that “The threat actor did not access other areas of Slack’s environment, including the production environment, and they did not access other Slack resources or customer data.”

However, Slack didn’t say what was stolen. Slack also went on to rotate relevant credentials as a precaution, further protecting their data in lieu of the breach. This security precaution would prevent any potentially stolen data from being usable in the first place.

Slack also stated that it doesn’t believe the unauthorized access of employee tokens was an inherent vulnerability and is currently investigating the source of the breach.

While this was a large security breach with an ongoing investigation, Slack has reassured customers that it “takes security, privacy, and transparency very seriously.”

About the Author
Tyler Cross
Tyler Cross
Senior Writer

About the Author

Tyler is a writer at SafetyDetectives with a passion for researching all things tech and cybersecurity. Prior to joining the SafetyDetectives team, he worked with cybersecurity products hands-on for more than five years, including password managers, antiviruses, and VPNs and learned everything about their use cases and function. When he isn't working as a "SafetyDetective", he enjoys studying history, researching investment opportunities, writing novels, and playing Dungeons and Dragons with friends."