Slack Warns Investors It's a Target for Nation-State Hacking

Slack said that it faces threats from “sophisticated organized crime, nation-state, and nation-state supported actors” according to an S-1 securities registration form the company filed with the Securities and Exchange Commission, which was published online today.

The document says that these threats from organized crime and nation-states actors and affiliates are alongside “threats from traditional computer ‘hackers;’ malicious code (such as malware, viruses, worms, and ransomware), employee theft or misuse, password spraying, phishing, credential stuffing, and denial-of-service attacks.” These threats are impossible to entirely mitigate, according to the document.

The S-1 filing does not claim that an attack from organized crime, nation-state, or nation-state affiliate actually happened. Rather, it just says that threats from these actors present an active risk to the company.

Slack was breached in March 2015, as the company points out in its S-1 filing. For four days, an unknown person or group of people had access to Slack information that included “user names, email addresses, encrypted passwords, and information” and phone numbers stored by the company. Slack introduced two-factor authentication to its services following the incident.

Companies that are preparing to go public—such as Uber, Lyft, Pinterest, Snapchat, and PagerDuty—all have sections in their S-1 registrations that address the threat of “unauthorized access” to their software, systems, and technologies. Already-public companies like Facebook and Twitter have to continually address hacking threats in their quarterly SEC filings.

Not-yet-public companies that have been hacked—such as Uber, Lyft, Snapchat, PagerDuty, and Twitter—have to point out in their S-1 filings that their systems have been compromised in the past. Like Slack, these companies also claim that attacks are impossible to unilaterally prevent.

However, none of these companies explicitly referred to “organized crime” or “nation-states,” as Slack did in its S-1 filing. When reached by Motherboard, Slack declined to comment.

Now is a good time as ever to reiterate the following: Slack doesn’t have end-to-end encryption, and in some cases, it’s possible for your boss to download and read your entire Slack history without your knowledge. So assume anything you say on Slack could be held against you in court, and consider talking trash on Slack to be generally a bad idea.