How do you keep secrets out of Slack?

too many secrets

At a recent security conference we interviewed over 100 MSSPs (Managed Security Service Providers).  Over 90% of the security companies said that both Slack and MS Teams were massive liabilities because people left secrets unencrypted at rest.

“Speaking to the Times, the hackers explained how they managed to hijack Twitter’s servers via information left on Twitter’s internal Slack channel”

*https://decrypt.co/36017/attackers-used-slack-to-breach-twitter-according-to-report

We find it ironic that many of the recent hacks that have affected Fortune 500 companies have not required a significant amount of technical skill, relying primarily on “mfa bombing” and “looking for secrets…” In both the Twitter hack of 2021 and the Uber hack of 2022, the attackers simply found unecrypted passwords with links to administrative tools via Slack.

Vulns, Insider threats and compliance nightmares

Leaving unencrypted secrets at rest in Slack or Teams can have severe consequences and pose significant risks to your organization’s security. Here are three key reasons why it’s a bad idea to leave unencrypted secrets in Slack:

  1. Unauthorized access: Leaving unencrypted secrets, such as passwords, API keys, or confidential documents, within Slack pollutes your communications infrastructure. If a malicious actor gains access to a Slack workspace, they can easily search for and retrieve these unencrypted secrets, compromising the security of various systems.
  2. Exposure to insider threats: Unfortunately, employees or contractors with malicious intent, or even those who inadvertently mishandle sensitive information, can exploit unencrypted secrets left in Slack. Without secret management, this data is easily accessible to anyone with access to the workspace. It’s crucial to implement tools to mitigate the risks associated with insider threats and ensure that only authorized individuals can view and use sensitive data.
  3. Compliance and regulatory issues: Leaving unencrypted secrets in Slack may violate industry-specific regulations and compliance requirements for your company. Many regulatory frameworks, such as the General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standard (PCI DSS), mandate the protection of sensitive data through encryption and secure storage practices. Failure to comply with these regulations can result in legal consequences, financial penalties, and damage to the organization’s reputation.

Mitigating the risks associated with leaving unencrypted secrets in Slack becomes significantly easier if you don’t have any sensitive data stored there in the first place. One effective approach to achieving this is by utilizing one-time links instead of sharing sensitive information directly within the platform.  This leaves a paper trail of the exchange without leaving the sensitive data to be seen by unintended viewers