Breach Debrief Series: The Fake Slackbot

Hananel Livneh, Head of Product Marketing

Last month, The Verge reported on an amusing story of abusing Slack in a design, technology, science, and science fiction website. Tom McKay of IT Brew successfully hid on Slack after leaving the company in 2022 by assuming the persona of “Slackbot,” remaining undetected by management for months. McKay shared screenshots of his antics on X and confirmed the escapade to The Verge. By changing his profile picture to resemble an angrier version of Slackbot’s icon and altering his name to “Slackbot” using a special character (Unicode character “о”), McKay’s account evaded deletion, allowing him to send bot-like messages to colleagues such as, “Slackbot fact of the day: Hi, I’m Slackbot! That’s a fact. Have a Slack-ly day!”.

On first read McKay’s escapade seems as a lighthearted reminder of the potential for mischief in digital spaces. This was how the cyber community of Hacker News of Y Combinator received this news, which prompted  users to share their own experiences from the old days, including a story from the days of dialup internet. However, as the thread continued, some people started wondering about the security impact. The r/sysadmin subreddit on the other hand was quick to realize the lack of an offboarding process. Other Slack admins shared their frustration and challenges of securing the SaaS app.

The Challenge of Offboarding 

When employees transition out of an organization, it’s imperative for security that access to corporate assets be promptly revoked. While much of this process is automated through workflows that remove employees from the identity provider (IdP), manual deprovisioning is necessary for applications not integrated into the IdP. Challenges in permanently removing users from SaaS applications include applications not synced with the IdP, the use of shared passwords among teams, and individuals retaining access through previously shared credentials acquired during their tenure. Failure to fully offboard users poses significant risks such as data theft or breaches, either by former employees or unauthorized individuals with stolen credentials. Overcoming these hurdles is crucial for maintaining robust security measures within organizations.

Securing Slack 

Slack is a leading collaboration and communication platform, revolutionizing how teams work together. With its intuitive interface, real-time messaging, and extensive integration options, Slack has gained popularity among organizations of all sizes. However, as with any cloud-based platform, it is crucial to address security issues and concerns to protect sensitive data and maintain a secure working environment. While Slack offers robust security measures, it is essential to be proactive in addressing potential security issues and concerns. Organizations must recognize the value of the data shared within the application, including sensitive files, proprietary information, and confidential communications.

To secure Slack, here are some best practices to follow:

  1. Strong Passwords and MFA: Encourage users to create strong, unique passwords for their Slack accounts and enable multi-factor authentication (MFA) for an added layer of security.
  2. User Access Control: Implement proper access controls by assigning roles and permissions based on user responsibilities. Restrict access to sensitive channels and data to authorized individuals only.
  3. Third-Party App Permissions: Regularly review and manage permissions granted to third-party apps integrated with Slack. Limit access to necessary functions and regularly audit authorized applications.
  4. Guest Access Controls: If using Slack for external collaboration, configure guest access settings carefully. Define restrictions and permissions for guests and regularly monitor guest activity.

Conclusion

As the cyber threat landscape evolves, even lighthearted stories like this one provide important lessons for organizations as they fortify their defenses against sophisticated attacks.  The fake Slackbot underscores the pressing need for comprehensive security measures and proper off-boarding. 

The easiest way to deprovision users from SaaS applications is through a SaaS Security Posture Management (SSPM) platform that is integrated with a SOAR. Using automated workflows, these processes quickly identify and fully deprovision offboarded employees who maintained access to SaaS applications.

By using an SSPM, enterprises can confidently move forward, knowing that access to their applications is under their full control. 

Have users you need to deprovision? Download our latest ebook, Offboarding Employees from Your SaaS Stack in 7 Steps!

About the writer

Hananel Livneh, Head of Product Marketing

Hananel Livneh is Head of Product Marketing at Adaptive Shield. He joined Adaptive Shield from Vdoo, an embedded cybersecurity company, where he was a Senior Product Analyst. Hananel completed an MBA with honors from the OUI, and has a BA from Hebrew University in Economics, Political science and Philosophy (PPE). Oh, and he loves mountain climbing.