Following closely on the heels of a security breach of Okta’s GitHub repositories, Slack has experienced a similar attack and has confirmed that some source code has been stolen.
The attack took place in late December, around the Christmas holiday. The good news is that the company reports no impact to its services or customer information, but did say that some small amount of its employees were impacted by the security breach. It is not clear exactly what sort of source code was taken from the GitHub repositories, but Slack says that it was not part of the primary codebase.
Slack security breach “not the result of internal vulnerability”
As IT teams struggle to contain all manner of attempted security breaches, GitHub repositories can sometimes fall by the wayside. These code collections are increasingly popular targets for hackers, however, as the breaches of Slack and authentication service Okta (among other recent incidents) demonstrate.
Without knowing exactly what was taken from Slack’s GitHub repositories, it’s impossible to say what the potential extent of the damage is. But hackers are generally after source code either for something to sell, or to scrutinize it for potential vulnerabilities that could provide deeper access to the target organization. Any security breach of this nature is thus worth keeping an eye on, as an initial “all clear” report could change some months later.
For the moment there is no evidence that Slack’s customers are impacted and the company is not advising any special action, but it might be an appropriate moment for a password change. Slack has said that it has invalidated the stolen authentication tokens that were used to get into the GitHub repositories and has rotated its internal credentials.
GitHub repositories often overlooked by security teams
GitHub repositories, especially those that are hosted externally (as was the case with Slack), often have security holes that stem from simple oversights like access control and misconfiguration. Slack’s contention that its incident was not an “inherent vulnerability” implies some sort of third party breach, possibly of a vendor or contractor that had shared access to this code.
Slack has made several moves that appear to be attempts to suppress the story, something that does not inspire confidence in its initial assessment of the damage. As it did during a prior breach in August 2022, it added an HTML tag to the breach notification that kept it from being picked up by search engines; the notification also only appeared in the middle of its visually busy United States blog, with no appearance (as of yet) on the international version.
Organizations might take this recent string of security breaches as a prompt to review GitHub security. Though it tends to be seen as a lower-priority item, particularly when there are regularly lots of fires to put out, shoring it up can also consist of a short series of fairly easy fixes.