Security Experts:

Slack Lists Cybersecurity Risks Ahead of Going Public

Slack Technologies, the company behind the popular team collaboration platform Slack, faces a wide range of cyber threats, including attacks launched by sophisticated cybercriminals and nation-state actors, according to a document filed on Friday with the U.S. Securities and Exchange Commission (SEC).

The filing is part of Slack’s plan to go public. The company has decided to list its shares directly on the New York Stock Exchange (under the symbol “SK”) rather than going through a traditional initial public offering (IPO).

SlackIn its S-1 filing with the SEC, Slack said its revenue increased from $105 million in fiscal year 2017 to over $400 million in 2019, while losses remained at roughly $140 million per year over the past three years.

The company has warned that its financial results in the upcoming period may be harmed by unauthorized access to its systems or data, or the data of its customers. Slack is concerned not only about traditional hackers, malware, phishing, malicious insiders, denial-of-service (DoS) attacks, and password attacks, but also the threat posed by “sophisticated organized crime, nation-state, and nation-state supported actors.”

“Third parties may attempt to fraudulently induce employees, users, or organizations into disclosing sensitive information such as user names, passwords, or other information or otherwise compromise the security of our internal electronic systems, networks, and/or physical facilities in order to gain access to our data or the data of organizations on Slack, which could result in significant legal and financial exposure, a loss of confidence in the security of Slack, interruptions or malfunctions in our operations, and, ultimately, harm to our future business prospects and revenue,” Slack said.

“Users or organizations on Slack may also disclose or lose control of their API keys, secrets, or passwords, or use the same or similar secrets or passwords on third parties’ systems, which could lead to unauthorized access to their accounts and data within Slack (arising from, for example, an independent third-party data security incident that compromises those API keys, secrets, or passwords),” it added.

The company has admitted that its cybersecurity systems may not function properly or they may not be sufficient, which can result in a data breach.

As an example of a breach suffered by the company, Slack mentioned a March 2015 incident that resulted in hackers gaining access to user data, including names, email addresses and encrypted passwords.However, the firm said it was not aware of any material impact on any organizations that resulted from the incident.

The SEC filing also highlights that the company’s failure to comply with privacy, information security and data protection laws and regulations, particularly the EU’s General Data Protection Regulation (GDPR), could result in fines or actions against the company.

Slack says it has over 10 million daily active users across more than 150 countries. These users, representing over 600,000 organizations, send over 1 billion messages every week via the platform. The company claims to have 88,000 paid customers, including more than 65 of the Fortune 100 firms.

Related: Slack, GitHub Abused by New SLUB Backdoor in Targeted Attacks

Related: Slack Introduces Enterprise Key Management Tool

Related: Slack Quickly Patches Account Hijacking Flaw

Related: Slack Tokens Leaked on GitHub Put Companies at Risk

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.