Slack retains messages forever and is at risk from state hackers, experts warn

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

An online privacy watchdog has issued a stark warning about the risks of using the popular workplace chat app Slack.

Gennie Gebhart, who serves as the associate director of research at the Electronic Frontier Foundation, outlined the threat of nation-state attacks using the troves of personal data that Slack stores.

In an op-ed in the New York Times, Ms Gebhart cited Slack’s recent filing with the Securities and Exchange Commission, which highlighted threats from “sophisticated organised crime, nation-state, and nation-state supported actors”.

In the filing Slack claimed it is “virtually impossible” to eliminate this risk, though Ms Gebhart claimed any such attack could be averted by simply readjusting Slack’s user policy.

“Right now, Slack stores everything you do on its platform by default – your username and password, every message you’ve sent, every lunch you’ve planned and every confidential decision you’ve made,” she wrote.

“That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers – including the nation-state actors highlighted in Slack’s [SEC filing] – can break in and steal it.”

Ms Gebhart warned that it is not just big companies that are at risk, but also political organisations, journalists, activists and other users of the messaging app.

Slack’s policy states that for both its premium and free service, “the default message and file retention settings is to keep everything for as long as the workspace exists”.

Those using the free version, however, will not be able to see the messages after a certain time limit or message count is reached – despite them remaining on Slack’s servers.

Slack explained this policy in a statement sent to media, claiming the data is stored in case a user chooses to upgrade.

“We take the security and privacy of our customers’ data very seriously, and have received internationally recognised privacy and security certifications for information security management and protecting personal data in the cloud,” a Slack spokesperson said.

“All Slack customers — including customers on free teams — can manually delete messages at any time.”