Slack’s secret GitHub code repository was stolen during holidays

Over the holiday season, Slack was affected by a security breach that affected some of its private GitHub codes repositories.

An estimated 18 million people use the Salesforce-owned IM App at work and in digital communities all over the globe.

Customers data are not compromised

BleepingComputer discovered a Slack security incident notice dated December 31, 2022.

Threat actors gained access to Slack’s externally-hosted GitHub repositories through a limited number of Slack employee tokens.

According to Slack, while some of its private code repositories were compromised, Slack’s primary codebase, and customer data, remained unaffected.

This is the text of the Notice [ and ] that was published on New Years Eve:

We were notified by GitHub of suspicious activity in our account on December 29, 2022. Upon further investigation we found that a small number of Slack tokens had been stolen from employees and used to access our externally hosted GitHub repository. The threat actor also downloaded code repositories from private servers on December 27, according to our investigation. None of the repositories that were downloaded contained customer data or access to customer data.

Slack has now invalidated the stolen tokens, and is currently investigating potential impacts to customers.

There is currently no evidence that Slack has accessed sensitive parts of the environment (including production). The company rotated all relevant secrets out of precaution.

According to current information, the unauthorised access was not caused by a vulnerability in Slack. Slack security team states that they will continue investigating and monitoring for additional exposure.

Search engines hide security update

The security update mentions that Slack takes your privacy and transparency “security and privacy very seriously” but comes with some caveats.

First, the “news” item listed on the company’s global news site.

This update can be accessed from certain regions (e.g., the United Kingdom) contrary to previous blog posts by Slack. UK is also marked with”, an HTML feature which excludes a page from search engine results. This makes it more difficult to find the page.

Slack security update slapped with a ‘noindex’ SEO tag


BleepingComputer also observed that the “meta”, tag that contained the “noindex” attribute, was placed at the bottom of the page’s HTML codes in an extended line that does not break but overflows. To put it another way, anyone viewing the source code would not be able to easily see the hidden tag without actively searching (Ctrl+F). Per convention, HTML

Elongated line 149 containing the ‘noindex’ tag doesn’t wrap


However, we noticed that Google already U.S. advisory published with no tag .

Businesses may also use to reduce the exposure of disturbing news. These techniques include the use of “noindex” in important announcements are generally frowned upon.

Last year Zack Whittaker LastPass’ .

in August 2022 after they accidentally exposed their password hashes during another incident. This notice, which is both the as well as the version of it, has a “noindex” mark.

Slack revealed in 2019 that it has for approximately 1% users who were impacted by 2015’s data breach.

Customers are not required to take any action regarding the latest security update. This is the good news.