- Detectify researchers said they found more than 1,500 Slack tokens in public projects on GitHub, putting a variety of data at risk, according to a ComputerWorld report.
- Slack tokens can provide access to a wide array of sensitive data shared inside Slack teams.
- Some of the tokens found by Detectify provided access to "payment providers, Internet service providers, schools, advertising agencies, newspapers and health care providers," according to ComputerWorld.
Developers that post code for Slack bots on GitHub often fail to remove the bots' access tokens, potentially putting sensitive business data at risk. Using the tokens they found, the Detectify researchers gained access to Slack teams and found "database credentials, sensitive private messages, files containing passwords, and logins to continuous integration platforms and internal services," ComputerWorld reported.
This isn’t the first time sensitive business data was found in publicly accessible code posted on GitHub. In 2014, a researcher found almost 10,000 access keys for Amazon Web Services and Elastic Compute Cloud.
Developers that utilize GitHub to share what they’ve developed in Slack should be sure to remove tokens first.
"Never commit credentials inside code, ever," Detectify researchers said in a blog. "The first thing you should do is to create environment-variables inside a file and ignore that file from the code repository from [the] start."
Slack’s popularity in the enterprise has been growing rapidly. In just a year, the company's user count and paid seats increased three and a half times. As of April 1, Slack had 2.7 million daily active users and 800,000 paid seats.