Dive Brief:
- Slack said an outside threat actor stole a limited number of employee tokens and used them to gain access to the company’s externally hosted GitHub repository, in a blog post released Saturday.
- The company said it was notified of suspicious activity last week, and the investigation found the threat actor had also downloaded private code repositories on Dec. 27. None of the repositories had customer data, a means to access that data or the company’s primary code base.
- Slack said it immediately invalidated the stolen tokens, but determined the threat actor did not access any of its remaining environment or access customer data. The company said there was no impact to its code or services, but has rotated all relevant credentials as a precaution.
Dive Insight:
Salesforce-owned Slack is a widely used messaging platform by major companies across the country, particularly since corporate employees moved to remote or hybrid operations during the pandemic.
The security of the platform has come up in recent years as companies became increasingly dependent on Slack as a key method of communications.
The company announced plans in August to increase security through the use of no code audit logs, which give administrators the ability to conduct fast reviews of unusual activity.
Slack said the incident last week was not the result of any vulnerability inherent to the company, but said it would continue to investigate and monitor for further exposure.
The attack is part of a growing trend of threat actors using identity as a means of attack, said Peter Firstbrook, VP analyst at Gartner.
“Traditionally we’re used to (attackers) hacking in through vulnerabilities and misconfigurations and things like that,” Firstbrook said. “But increasingly what we’re seeing are attackers just stealing passwords and logging in.”
Threat actors have previously targeted GitHub repositories. Okta in December said its source code repositories were accessed and copied. Customer data was not accessed in that incident.
Separately, researchers from Checkmarx discovered a vulnerability in GitHub’s repository namespace retirement mechanism, using a technique called repojacking. That technique raises the risk of supply chain attacks.
LastPass too is dealing with a compromise of its code base, which resulted in a threat actor copying a backup of its customer vault data. The company did not specify what code repository it used.
A spokesperson for Slack referred all questions about the incident back to the blog post.