Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Privacy

Slack's Private GitHub Code Repositories Stolen Over Holidays (bleepingcomputer.com) 11

An anonymous reader quotes a report from Bleeping Computer: Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories. The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world. BleepingComputer has come across a security incident notice issued by Slack on December 31st, 2022. The incident involves threat actors gaining access to Slack's externally hosted GitHub repositories via a "limited" number of Slack employee tokens that were stolen. While some of Slack's private code repositories were breached, Slack's primary codebase and customer data remain unaffected, according to the company.

The wording from the notice [1, 2] published on New Year's eve is as follows: "On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27. No downloaded repositories contained customer data, means to access customer data, or Slack's primary codebase."

Slack has since invalidated the stolen tokens and says it is investigating "potential impact" to customers. At this time, there is no indication that sensitive areas of Slack's environment, including production, were accessed. Out of caution, however, the company has rotated the relevant secrets. "Based on currently available information, the unauthorized access did not result from a vulnerability inherent to Slack. We will continue to investigate and monitor for further exposure," states Slack's security team. The good news, with regards to the most recent security update is that no action needs to be taken by customers, for now.

This discussion has been archived. No new comments can be posted.

Slack's Private GitHub Code Repositories Stolen Over Holidays

Comments Filter:
  • Obligatory. (Score:5, Funny)

    by SeaFox ( 739806 ) on Thursday January 05, 2023 @05:12PM (#63183222)

    I guess their security was too... Slack.

    YEAAAAAAAH!

  • If it is in github, all you really need to do is fire up copilot and then type: // This project contains a major competitor to Slack

    and then *boom* here comes all that secret code!

  • Why would any company risk giving their proprietary source code to another company?
    • by yabos ( 719499 )
      If you used atlassian bitbucket server(self hosted) then they are forcing everyone to the cloud. The only options to keep using bitbucket are to keep using server without support(works for now but maybe won’t at some point), or migrate to the cloud version. I was looking for good alternatives but haven’t found anything yet that would be as good.

      Our company just migrated to bitbucket cloud and we have it locked to only one IP address which is that of our internal network’s public facing
  • The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world

    It's a nitpick, but 18 million users worldwide doesn't qualify as immensely popular. Maybe not even any shade of popular.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...