Salesforce's popular IM app Slack suffered a security breach this past holiday season. The attack concerns some private repositories on GitHub, containing portions of code. Customer data appears to be unaffected by the attack, which the company notified on December 31, 2022.
The breachers appear to have gained access to Slack's GitHub repositories hosted externally via some stolen tokens, belonging to Slack employees. The company confirmed that Slack's core codebase and customer data were not compromised in the attack. In any case, all the pertinent secret keys have been modified.
An anomalous aspect, reported by BleepingComputer , is that the communication given by Slack about the incident is not present on the company's international blog, at least for Now. The post is only reachable from some areas, such as the United Kingdom, and has also been written to be excluded from search engines, via the “ noindex ” attribute.
Therefore, according to BleepingComputer, Slack intentionally hid the news . Other companies have been accused of similar conduct in the past, such as GoTo and LastPass , which according to journalist Zack Whittaker , used similar tactics during the security breach suffered by the password manager company in 2022.
This isn't the first time Slack has faced breaches. In 2019, the company reset the passwords of approximately 1% of its user base affected by the cyberattack suffered in 2015. However, based on the current situation, Slack users do not need to take any action.