Recent Security Breaches at Slack and CircleCI Raise Concerns Over Internet Security
Jan 9, 2023
Slack is one of the most popular communication tools. It is concerning that the platform has been experiencing a security breach.
Security Breaches at Slack and CircleCI - FastVPN
Recently, chat service Slack and software testing and delivery company CircleCI have both suffered from major security breaches. The wording used by the companies, "security issue" and "security incident," respectively, make it seem as though the events were minor. However, the compromise in Slack's case was the theft of employee token credentials, and in CircleCI's case, the possible exposure of all customer secrets. This comes two weeks after password manager LastPass disclosed its own security failure, the theft of customers’ password vaults containing sensitive data in both encrypted and clear text form. It is not clear if all three breaches are related, but it is a possibility.
The CircleCI breach is particularly concerning as it could prove disastrous for the security of the entire internet, as the company is used by over 1 million developers and supports 30,000 organizations. The company runs nearly 1 million daily jobs and the potential exposure of all those secrets, which could be login credentials, access tokens, and other sensitive information could have a major impact on the security on the internet. The company has been tight-lipped about what exactly happened and has not used concrete language in their advisory. They have not used words like “breach”, “compromise” or “intrusion”. However, they have informed customers to rotate all secrets they store on the service, which is a strong indication that a security incident has occurred.
Slack's advisory, meanwhile, is similarly opaque. It’s dated December 31, but the Internet Archives didn’t see it until Thursday, five days later. It’s clear Slack wasn’t in a hurry for the event to become widely known. Like the CircleCI disclosure, the Slack alert also steers clear of concrete language and instead uses the passive phrase “were stolen and misused” without saying how. Adding to the lack of forthrightness: The company embedded the HTML tag in the post in an attempt to prevent search engines from indexing the alert. After obtaining the Slack employee tokens, the threat actor misused them to gain access to the company’s external GitHub account. From there, the intruders downloaded private code repositories. The advisory stresses that its customers weren’t affected and that “the threat actor did not access other areas of Slack’s environment, including the production environment, and they did not access other Slack resources or customer data.”
Customers should take the statement with a generous helping of salt. Remember the LastPass advisory from August? It, too, used the opaque phrase “security incident” and said “no customer data was accessed,” only to reveal the true extent on the last major business day of 2022. It wouldn’t be surprising if Slack or CircleCI updated its advisories to disclose further access to customer data or more sensitive parts of their networks.
It’s possible, too, that some or all of these breaches are related. The Internet relies on a massive ecosystem of content delivery networks, authentication services, software development tool makers, and other companies. Threat actors frequently hack one company and use the data or access they obtain to breach that company's customers or partners. That was the case with the August breach of security provider Twilio. The same threat actor targeted 136 other companies. It is important for companies to be transparent and upfront about security breaches and to take steps to prevent them in the future. Customers should also be vigilant and take necessary precautions to protect their sensitive information.