Supplemental Slack info for you and your team.Tips and tools for beginners and experts alike.Get familiar with Slack Enterprise Grid for large organizations.If you're curious about what's new in Slack — and what's changed — you're in the right place.Develop your skills and prepare to become Slack Certified!Launching a new team or joining one for the first time?
Our easy-to-read guides help your team work better, together, from day one.Ready to level up? Browse our time-saving tricks and practical tips for
making Slack work for you.All kinds of teams thrive with Slack — take a look at our department-specific guides.
More coming soon!Learn how Slack works, from top to bottom!Want to learn more about setting up your team? Look no further!Welcome to Slack! We're so glad you're here. Let's get started!Adjust your profile and preferences to make Slack work just for you!Simplify your daily work with apps and tools.Tips and tools for beginners and experts alike.
Slack is experiencing some connectivity issues — please stand by. Check Status
Early on December 23, 2015 we disconnected certain custom bots created by users whose accounts had previously been deactivated. We did this to help ensure the security of the content for the Slack workspaces they had been enabled for.
A custom bot is an application that is a non-human user on your workspaces. Members can interact with it just like they do with each other. It requires a human user to set up like any other Slack workspace integration. When that human user is deactivated, the custom bot should likewise go away and no longer have access to the workspace and its content. We received a bug report that led us to believe that this was not happening in all cases as it should have. When we audited our systems for similar activity, we found that some custom bots on other workspaces remained enabled when they should not have been.
While we have no reason to believe that anyone took advantage of these circumstances to read messages which they would not otherwise have access to (or even that anyone was aware this was the case), it is impossible to rule it out definitively. Because we take security very seriously we have acted quickly to disable these bots and notify all Slack workspaces that may have been impacted.
How many workspaces were impacted?
Approximately 0.05% of Slack workspaces were identified as having a custom bot enabled that was associated with a deactivated user. Those custom bots have been disabled and affected workspaces have been notified.
How long did you know about this issue before you notified affected workspaces?
We have been working diligently since becoming aware of the issue to determine which workspaces were likely impacted. Our goal has been to communicate as quickly as possible while ensuring that our facts are accurate. We received a user report late on Friday, December 18th that we began investigating. As a result of this investigation, we ran an audit of custom bot integrations across Slack that we completed late Monday evening, December 21, 2015. We notified affected workspaces within 36 hours of the audit being completed.
What kind of content was available to deactivated users?
Deactivated users may have had access to the content that the custom bot had access to. But it’s important to note that while access was technically possible, we have no reason to believe that anyone took advantage of these circumstances to read messages which they would not otherwise have access to (or even that anyone was aware this was the case). However, it is impossible to rule it out definitively.
What kind of policies does Slack have in place to monitor the security of integrations, including bots?
For Slack Apps in the App Directory, we have a customer experience team and a policy lead working together on the review process. As it is early, before an App is included in the directory, we test apps and vet their OAuth scopes. Our users also have the ability to report Apps from the App Directory if there are any problems or concerns.
For custom bots, we have addressed the issue that resulted in deactivated users having possible access through custom bots that were not properly disabled. For additional security, workspace administrators can change their settings to limit which users can add custom bots to their workspace.
Thanks so much for your feedback!
Thanks for your feedback.
If you’d like a member of our support team to respond to you, please send a note to email@example.com.
Oops! We're having trouble. Please try again later!