Slack's Insufficient Security Measures

From Privacy Wiki
Jump to navigation Jump to search
Slack's Insufficient Security Measures
Short Title Slack Applies Insufficient Security Measures
Location Global
Date July 2019

Taxonomy Insecurity, Secondary Use
Information Identifying, Contact, Communication, Computer Device, Professional, Social Network, Authenticating
Threat Actors Slack Technologies Inc., Companies that use slack for corporate communication, Law Enforcement

Affected Users of Slack
High Risk Groups Employees
Secondary Consequences

Slack was found to have insufficient security measures, failing to encrypt user data, and having unfair data retention policies.


According to Slack’s S-1 form, the company faces threats from “sophisticated organized crime, nation-state, and nation-state supported actors.”

The company acknowledges that its security measures “may not be sufficient to protect Slack and our internal systems and networks against certain attacks,” and correctly assesses that it is “virtually impossible” for the company to completely eliminate the risk of a nation-state attack.

Right now, Slack stores everything users do on its platform by default, including usernames and passwords, and all messages.

That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers — including the nation-state actors highlighted in Slack’s S-1 — can break in and steal it. This is an example of Insecurity.

Particularly alarming is that free customer accounts don’t allow for any changes to data retention. Slack retains all of users data but makes only the most recent 10,000 visible to the user. They are stored on Slack servers to keep them ready in case the user decides to upgrade to the paid version. Hiding user communication data from them, and use it as a "bait" to make users pay, can be interpreted as Secondary Use.

Risk Statistics

Laws and Regulations