Nikkei’s Slack breach leaks sensitive data from more than 17,000 users

Japanese media company Nikkei has confirmed that a security breach of its Slack accounts has potentially leaked highly sensitive information from more than 17,000 of its users. Consultants point to the incident as yet another reminder of the dangers when non-corporate devices are allowed to access confidential corporate data. 

“An employee’s personal computer was infected with a virus, leading to the leakage of Slack authentication credentials. It is believed that this information was used to gain unauthorized access to employee accounts,” Nikkei said in a published statement. “The incident was identified in September and countermeasures such as changing passwords were implemented. Potentially leaked information includes the names, email addresses, and chat histories for 17,368 individuals registered on Slack.”

The Nikkei statement added “Considering the incident’s significance and to ensure transparency, we voluntarily reported it to [Japan’s] Personal Information Protection Commission. No leakage of information related to sources or reporting activities has been confirmed.”

Cybersecurity consultant Brian Levine, a former federal prosecutor who today serves as executive director of FormerGov, a directory of former government and military specialists, stressed that this is part of an ongoing trend of Slack breaches.

“There is often increased risk when employees or contractors access company resources from non-company-managed devices. Recent attacks against Okta, MGM Resorts, and others have been linked to such unmanaged access,” Levine said, adding that last year, “an attacker exfiltrated more than [1 terabyte] of internal data from Disney’s Slack environment when a contractor had accessed Slack from an unmanaged device, bypassing monitoring tools.”  

Erik Avakian, technical counselor at Info-Tech Research Group, noted that one of the most concerning things about attacks similar to the Nikkei breach is that the attackers are often able to easily bypass MFA defenses.

“An employee’s computer gets hit by malware designed to steal credentials. The malware grabs Slack session tokens and cookies, then sends them to attacker command and control servers,” Avakian said. “With those stolen and likely active tokens, the attacker is able to log into Slack from their own device and access private channels and chat history without even triggering a multi-factor authentication prompt, since they reused an already-authenticated session.”

Avakian said that the nature of these attacks suggests that enterprise CISOs should consider procedural changes. 

This kind of attack would give threat actors “broad access to channels and integrations, which made the impact worse. Weaknesses around this incident shine a light on unmanaged or poorly protected devices, long-lived tokens, and not enough logging or alerts for suspicious sessions,” Avakian said. “Organizations can learn from these types of incident, and those using Slack, or any other widely used communications platform similar to Slack, should maintain a policy for revoking active sessions and refreshing tokens for affected users routinely, forcing password resets and rotating API tokens.”

Jeff Man, a senior information security consultant with Online Business Systems, pointed out, “the larger discussion should be on the failings of the Nikkei IT/IS program to protect against some sort of attack that targeted its employees. Why are employees allowed to use Slack on personal devices?”

“So this is really an issue of risk management,” Man said. “In the case of Nikkei, it appears the exploitation was elsewhere [on the system]. The initial access allowed the miscreants to use credentials to gain access to Slack. That’s not a compromise of Slack itself, that’s a compromise of employee account authentication.”

Stephen Boyce, security consultant and CEO of The Cyber Dr., said the Nikkei incident represents “what happens when someone uses a personal device to get into work systems. Once that device gets hit with malware, it’s game over for the credentials. The part that worries me is this could happen anywhere. People forget how much sensitive stuff ends up in Slack: messages, files, links, sometimes even credentials. Once someone has that, they can poke around pretty freely.”

“To me, it’s just another reminder that zero trust has to go all the way out to the edge, not just the network. You’ve got to know the device, use MFA tied to managed hardware, and control what data lives in those SaaS tools,” Boyce said. “You may be also asking ‘Well, do we do away with BYOD all together?’ And the short answer is ‘no’ but we do need to look at ways we can secure the workforce beyond company issued assets.”

This article originally appeared on CSO Online.