Proactive Measures Against Password Breaches and Cookie Hijacking
At Slack, we’re committed to security that goes beyond the ordinary. We continuously strive to earn and maintain user trust by safeguarding critical components integral to every user’s experience. From passwords to session cookies, and tokens to webhooks, we prioritize protecting everything essential to how users log into the platform and remain authenticated. Through proactive measures and innovative automations that leverage cutting-edge threat intelligence, we’re dedicated to shielding users from potential breaches, cookie hijacking malware, and inadvertent exposure of sensitive information and secrets.
Slack’s strategy has always been to anticipate and mitigate threats before they can impact our users. Since 20161, we have worked to proactively invalidate credentials exposed on the internet based on regular expressions2 tailored to the specifics of our tokens and webhooks. Oftentimes these secrets get inadvertently exposed when they get hard-coded into development code and then published somewhere like GitHub. Since these secrets provide varying levels of access to a user’s workspace, our tooling automatically and immediately invalidates tokens and webhooks upon discovery and notifies their respective owners.
Following this, we aimed to extend the same level of protection and automation to Slack passwords and session cookies. Password reuse across multiple platforms poses a significant risk to user security. A 2023 study on account takeovers found that 70% of victims reported that they reused the same password across multiple sites and services, leading to 53% of them having had multiple accounts taken over.3 Put in numbers, 29% of American adults experienced an account takeover by 2023, equating to roughly 77.5 million victims according to government population figures.4 At the same time, passwords and session cookies are also susceptible to malware that is built to steal it from a user’s browser, something we’ll get into below.
