Slack credentials abundant on cybercrime markets, but little interest from hackers

Security researchers find more than 17,000 Slack credentials for roughly 12,000 Slack workspaces being sold online.
Written by Catalin Cimpanu, Contributor

Slack credentials are abundant on hacking forums and the dark web; however, an analysis of the cybercrime underworld shows there's little interest in the platform among hacker groups.

The conclusion belongs to cybersecurity firm KELA, who scoured the cybercrime market for Slack credentials following last week's Twitter hack and shared their findings with ZDNet this week.

KELA went looking for Slack credentials on cybercrime markets because of a New York Times report detailing last week's Twitter hack.

SEE: Navigating data privacy (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

The report claimed the massive Twitter hack took place after a teenager social-engineered a Twitter employee and gained access to the company's Slack channel.

Reporters claim the hacker found a username and password for an internal Twitter admin tool pinned to one of the Slack channel's chat rooms, which the hacker later used to wreak havoc on Twitter by defacing high-profile accounts with a cryptocurrency scam.

While Twitter never entirely confirmed the NYT report, the article brought into the limelight the importance and the broad use of Slack as a corporate tool, primarily for internal communications between employees.

Roughly 17,000 Slack credentials available for sale online

Using their threat intelligence platform, KELA went looking for Slack credentials on cybercrime markets, in an attempt to see how popular this threat vector was among cybercriminals

The company says it was able to find more than 17,000 Slack credentials that were recently offered for sale online, on hacking forums, and credentials-selling marketplaces like Genesis.

Image: KELA

The credentials belonged to more than 12,000 different Slack workspaces, and prices varied from $0.50 and up to $300, depending on the workspace's value to attackers.

Some Slack workspaces couldn't be identified, but KELA said that more than 4,300 workspaces allowed users to register using a specially-formatted email address, and were most likely government or corporate Slack channels.

Image: KELA

But KELA said that despite the large number of Slack credentials available online, hackers haven't been that interested.

"While at least 4,300 organizations seem to have Slack credentials available for sale, the demand side of the equation doesn't seem to align," said Raveed Laeb, KELA Product Manager.

Laeb said hackers rarely asked around for Slack access on hacking forums, and when they did, forum posts where they requested help remained unanswered.

Image: KELA

"Almost a year after it was posted, the ad [pictured above] still has no replies," Laeb said.

"Moreover, we found almost no discussions about schemes or methods to monetize Slack credentials, suggesting there is no active interest in targeting Slack among cybercrime communities."

Slack channels rarely yield data

Laeb cited different reasons why cybercriminals aren't paying attention to Slack as a "gateway into corporate platforms and internal data."

The primary reason is that Slack channels rarely contain useful information. Even if hackers gain access to an account, the tool mostly contains conversations between colleagues, with little information and opportunities for further escalation to a company's internal network, as Slack is a web-based tool, and not directly connected to Domain Admins, firewalls, or other company equipment.

While the Twitter hackers "definitely nailed it," as Laeb described it, gaining access to other Slack channels might be a waste of time, most of the time.

Sure, attackers can social-engineer a company's employees to access phishing pages or install malware on their systems, but Laeb says this process is time-consuming, and it's not guaranteed to yield the desired results.

Another issue is that Slack also allows companies to choose custom workspace URLs, which also makes it hard to know what organization a hacker might gain access to just by looking at the link of an ad for Slack credentials. An URL of cbges.slack.com could be the Slack channels of the Central Bank of Greece or the Slack channel of a Call of Duty clan. Hard to tell.

Slack is a standalone -- unlike Hangouts or Teams

Slack's design and modus operandi also appear to have played a role in its lack of usefulness to attackers.

Currently, Slack channels, despite being deeply ingrained into many corporate environments, seem to be safer to use than solutions like Google Hangouts or Microsoft Teams.

A compromise of a Google or Microsoft account allows attackers to access an employee or company's entire suite of enterprise apps, including all their information. On the other hand, Slack credentials usually grant access to a few sensitive files that have been shared in conversations and a lot of memes and GIFs.

However, going forward, KELA says things will definitely change. The Twitter hack has brought more attention to Slack channels as an entry point.

Slack credentials might not be as useful as G Suite or Microsoft 365 accounts, but hackers usually work by mimicking successful hacks, and the Twitter hack showed that Slack workspaces might be a good place to lurk in search for sensitive data.

Sure, some hackers might find it difficult to pivot to a company's corporate network, but that won't stop some from trying.

Europol’s top hacking ring takedowns

Editorial standards