Slack’s Private GitHub Code Repositories Stolen Over Holidays
The wording from the notice [1, 2] published on New Year’s eve is as follows: “On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27. No downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase.”
Slack has since invalidated the stolen tokens and says it is investigating “potential impact” to customers. At this time, there is no indication that sensitive areas of Slack’s environment, including production, were accessed. Out of caution, however, the company has rotated the relevant secrets. “Based on currently available information, the unauthorized access did not result from a vulnerability inherent to Slack. We will continue to investigate and monitor for further exposure,” states Slack’s security team. The good news, with regards to the most recent security update is that no action needs to be taken by customers, for now.
Read more of this story at Slashdot.