Proactive Measures In opposition to Password Breaches and Cookie Hijacking

Proactive Measures In opposition to Password Breaches and Cookie Hijacking
Proactive Measures In opposition to Password Breaches and Cookie Hijacking

At Slack, we’re dedicated to safety that goes past the extraordinary. We repeatedly try to earn and keep person belief by safeguarding essential elements integral to each person’s expertise. From passwords to session cookies, and tokens to webhooks, we prioritize defending every thing important to how customers log into the platform and stay authenticated. By way of proactive measures and revolutionary automations that leverage cutting-edge risk intelligence, we’re devoted to shielding customers from potential breaches, cookie hijacking malware, and inadvertent publicity of delicate info and secrets and techniques.

Secrets and techniques ought to stay secret

Slack’s technique has all the time been to anticipate and mitigate threats earlier than they’ll impression our customers. Since 20161, now we have been repeatedly scanning the web utilizing common expressions2 tailor-made to the specifics of our tokens and webhooks to search out any which can be publicly accessible. Oftentimes these secrets and techniques get inadvertently uncovered after they get hard-coded into improvement code after which printed someplace like GitHub. Since these secrets and techniques present various ranges of entry to a person’s workspace, our tooling mechanically and instantly invalidates tokens and webhooks upon discovery and notifies their respective homeowners.

Following this, we aimed to increase the identical stage of safety and automation to Slack passwords and session cookies. Password reuse throughout a number of platforms poses a big danger to person safety. A 2023 research on account takeovers discovered that 70% of victims reported that they reused the identical password throughout a number of websites and companies, resulting in 53% of them having had a number of accounts taken over.3 Put in numbers, 29% of American adults skilled an account takeover by 2023, equating to roughly 77.5 million victims in response to authorities inhabitants figures.4 On the similar time, passwords and session cookies are additionally prone to malware that’s constructed to steal it from a person’s browser, one thing we’ll get into beneath.

Uncovered password detection and rotation

This led us to collaborate with strategic risk intelligence companions who acquire knowledge from various sources similar to breaches, darkish internet boards, botnets, and malware. These partnerships present us with high-fidelity, actionable knowledge in real-time that lets us keep forward of risk actors, whereas additionally making Slack a much less interesting goal by rendering credentials stolen by these risk actors invalid and ineffective.

We repeatedly ingest this risk intelligence by way of our companions’ APIs and proactively discover matches between the credentials of our customers and people showing in risk actor datastreams. When a match is discovered, that credential is instantly reset and blocked from being reused by the related person sooner or later now that it’s compromised. Oftentimes we are able to catch these susceptible passwords so rapidly that we’re capable of reset them earlier than a risk actor is ready to use them to achieve unauthorized entry to an account.

This means of evaluating passwords offered by our risk intelligence companions with entries in our database isn’t simple, nonetheless. Whereas credential breach knowledge is offered in plaintext, permitting dangerous actors to make use of it, Slack passwords are securely saved as salted hashes, making a direct comparability inconceivable. To resolve this, we created a knowledge pipeline that mechanically ingests candidate credentials from our risk intelligence knowledge sources after which salts and hashes every password so {that a} comparability to Slack’s database may be made earlier than the datapoint is purposefully—and completely—discarded.

Though the method of salting and hashing every candidate password is intentionally time consuming, we’re capable of course of hundreds of thousands of credentials5 in an affordable period of time inside the safe confines of Slack’s backend. We accomplish this by dividing them into smaller batches and processing them in parallel in a job queue. When our backend course of identifies a match, the related person’s password is instantly reset and the person is notified by way of an electronic mail explaining this exercise, alongside some follow-up actions they’ll take to enhance the safety of their account going ahead. At this level or if no match is discovered, the pipeline discards the datapoint so risk intelligence knowledge isn’t collected or saved by Slack.

Invalidating hijacked cookies

All cookies of any app or service, together with the Slack session cookie every Slack person possesses, are domestically saved on a person’s gadget. This native storage affords advantages like velocity, effectivity, scalability, and offline performance, but it surely additionally produces a safety danger. If a risk actor is ready to compromise that person’s gadget, they might additionally acquire entry to the cookies on that gadget and use the Slack cookies to achieve entry to the person’s workspaces.

To proactively guard towards this chance, other than monitoring for indicators of cookie misuse inside Slack, we additionally continually monitor risk intelligence datastreams and invalidate exfiltrated Slack cookies in a well timed method, balancing safety with person expertise. This extends the preliminary system we carried out that discovers and invalidates person session tokens on a Slack person’s behalf so the cookies are additionally shielded from malicious use.

Oftentimes, our risk intelligence companions uncover hijacked Slack cookies so rapidly6 that we’re capable of not solely invalidate every earlier than a nasty actor may have the prospect to misuse them, however in a means that’s tailor-made to every respective person’s geography and timezone. When a Slack cookie is invalidated, its related session will get marked for termination, which as soon as full logs the person out of their workspace. That’s a great factor, by way of defending the person’s accounts from unauthorized entry, however we additionally know nobody needs to lose entry to Slack throughout a essential dialog or in the course of presenting in a huddle.

Throughout runtime, our automation evaluations every compromised cookie to judge whether or not the related person’s geography means it’s throughout their typical weekday working hours. In that case, the invalidation of that particular cookie is scheduled to happen in a time window outdoors of that vary, whereas cookies belonging to customers who should not at the moment inside their weekday working hours are invalidated instantly. This lets us present a optimistic person expertise that considers every person’s timezone whereas calculating probably the most environment friendly and well timed invalidation for the exfiltrated cookie.

As with uncovered passwords, when a cookie will get invalidated we notify the impacted person by way of electronic mail. Moreover, if that person’s workspace is on an Enterprise plan supporting Slack Audit Logs, we additionally add an occasion for the cookie invalidation into their audit logs for transparency.


Our dedication to safety at Slack extends past standard measures by leveraging leading edge risk intelligence with revolutionary automations for locating and invalidating susceptible person credentials at scale. We firmly consider that proactively safeguarding towards current and rising threats just isn’t solely a necessity for fostering a safe platform, however essential for sustaining person belief in our model. We additionally pleasure ourselves on designing approaches that emphasize a seamless and clear person expertise, all whereas concurrently implementing strong safety protocols to thwart unauthorized entry makes an attempt by risk actors.

Enthusiastic about serving to us defend Slack customers? Apply now