The Electronic Frontier Foundation (EFF), an online privacy and digital rights watchdog, has issued a warning about the risk of using Slack, a popular workplace chat app. EFF said that using the troves of personal data stored in Slack servers, hackers can launch massive nation-state attacks.
EFF associate director of research, Gennie Gebhart, through an op-ed in the New York Times, revealed that Slack’s recent Securities and Exchange Commission filing poses threats from “sophisticated organized crime, nation-state, and nation-state supported actors.”
Gebhart contradicts Slack’s claim that it is “virtually impossible” to eliminate the said risks, saying that any attacks can be prevented if only Slack will tweak its user policy. According to Gerbhart, Slack stores username and password, messages and practically everything that users do while on the Slack platform.
The problem with this is the fact that those data are not end-to-end encrypted. This means Slack staff can read everything. Additionally, law enforcers can easily request the data from Slack should there be an on-going investigation. Worst of all, hackers can easily break through the platform and steal the data.
Gebhart suggested that it’s not just large companies that are at risk, but also journalists, activists, and other users.
Another problem lies in Slack’s policy which states that the default message and file retention settings are to keep everything for as long as the workspace exists. This is true for both premium and free services of Slack. However, users who are into the free version do not see the messages after a certain time limit or when a message count is reached.
Defending its policy, Slack sent a statement to media explaining that data collected from users are stored in case a user of the free version decides to upgrade to the premium service.
“We take the security and privacy of our customers’ data very seriously, and have received internationally recognized privacy and security certifications for information security management and protecting personal data in the cloud,” a Slack spokesperson said.