Slack No More: Analyzing Disney's Bold Move to Dump Slack

Disney’s recent data breach highlights how using Slack can put entire company data at risk. Sensitive files, project plans, and communications are vulnerable to compromise. This incident is just the tip of the iceberg, exposing Slack’s broader security weaknesses and the potential for major data leaks.

Sep 23, 2024 11 min read

Last week, Disney finally made the long-anticipated move that many in the tech and entertainment industries had been expecting: the entertainment giant announced it would completely cease using Slack throughout its organization. This decision came in the wake of a major data breach in July that had compromised sensitive company information.

“I would like to share that senior leadership has made the decision to transition away from Slack across the company.”

        - Hugh Johnston, Disney’s chief financial officer in an email to staff

Disney’s decision is not without precedent, and more are likely to follow.

Slack has a never-ending history of security vulnerabilities and data breaches. By using Slack, businesses have essentially handed over the entire blueprint of their organization without a second thought - intellectual property, business strategies, HR data, and more on a silver platter which Slack is not able to protect. Adding to these concerns is Slack’s recent controversial move to use customer data for training its AI, a practice that has alarmed many privacy advocates and corporate clients.

Disney’s decision is a wake-up call. It’s time that companies relook at the risks associated with adopting cloud-based communication tools without any due diligence and security vetting.

Let’s understand what has gone wrong and why this happened.

Why This Happened? History and the Overlooked Risks

The early 2010s saw a paradigm shift in business communication, particularly in internal correspondence. Email, long the de facto standard, began to lose ground to instant messaging platforms. However, it was 2020 that reshaped the landscape forever, as the COVID-19 pandemic catalyzed an unprecedented surge in remote work. Remote collaboration tools became essential, with Slack emerging as a frontrunner.

However, in the rush to stay operational in a suddenly changed environment, many businesses overlooked a critical step: due diligence, and ended up with consequences like Disney’s. By quickly integrating Slack into their operations, businesses have exposed their entire organizational blueprint – including intellectual property, business strategies, sensitive HR data, and more – without fully considering the implications. And the poor security of Slack did the rest.

The cracks in Slack’s security framework have grown increasingly apparent over the years. Its integration with a wide range of third-party apps also significantly broadens the attack surface. As such, organizations have not audited Slack before deploying, and on top of that, each integration represents a potential vulnerability, and many businesses lack the resources or expertise to audit these applications thoroughly. No wonder Slack has become a haven for cybercriminals looking for data breaches and other security vulnerabilities.

Slack’s History of Breaches and Vulnerabilities

The Disney incident is not the only one; there have been several instances where Slack was exploited to gain unauthorized access to sensitive corporate data. Many smaller organizations have suffered similar fates without the same media attention.

Some recent breaches:

  • In 2024, Disney fell victim to a 1.2-terabyte hack, with the majority of leaked data originating from Slack. Finally, it decided to ditch Slack for good.
  • In 2023, Slack’s own security incident in which hackers stole private source code repositories from Slack itself, raising serious questions about its own security practices.
  • In 2022, a hacker gained access to Uber’s Slack account and gained access to Uber data. The hacker also announced it on Uber’s #General Slack channel.
  • EA Games faced 780GB of data released on a cybercrime forum following a Slack-related breach.
  • Rockstar Games’ internal Slack messaging system was hacked by a hacker who stole 90 clips of the unreleased game Grand Theft Auto 6. The hacker also posted the source code on a forum under the username TeaPotUberHacker.
  • Hackers gained access to Twitter’s Slack account and used the credentials to take over over 130 high-profile Twitter accounts.
  • Password Vulnerability (2022): A critical security flaw in Slack’s invite link functionality exposed hashed passwords to all connected users in a workspace between April 2017 and July 2022.
  • Credential Breaches: Over 17,000 Slack credentials have been found for sale on the dark web, belonging to 12,000 different workspaces.
  • System Vulnerabilities: Slack has a history of security oversights, including a five-year leak of hashed passwords only addressed in 2022.

It’s quite evident that the Slack’s journey has been marred by a series of high-profile security incidents, and it is far from Slack’s marketing claim of a secure solution for workplace communication. On top of that, Slack’s practice of storing all data indefinitely and unencrypted creates an attractive target for cybercriminals.

Slack’s AI Ambitions: Additional Way to Compromise Your Business Data

One of the most alarming developments is Slack’s decision that it would be using customer data to train its AI models. This means that all your company data – from casual conversations to highly sensitive business documents – can be used to enhance AI capabilities. While Slack claims this data is anonymized, the nature of machine learning models means that the AI could potentially reconstruct or infer sensitive information from the patterns it learns. The implications of this additional privacy risk are far-reaching:

  • Intellectual Property Exposure: Your company’s innovative ideas, product plans, and strategic discussions could inadvertently become part of Slack’s AI training data, potentially exposing your competitive advantages.

  • Confidentiality Breaches: Sensitive HR matters, financial discussions, or client information shared on Slack could be incorporated into the AI model, risking exposure of confidential data.

  • Regulatory Compliance Issues: For companies in regulated industries, the use of their data for AI training could potentially violate data protection laws and industry-specific regulations.

  • Competitive Intelligence: If Slack’s AI becomes sophisticated enough to understand and generate business insights, it could theoretically be used to answer queries that reveal patterns and strategies across multiple organizations, including your competitors.

  • Loss of Data Control: Once your data becomes part of an AI training set, it’s nearly impossible to fully remove or control its influence on the model.

What’s particularly troubling is that many organizations may not be fully aware of how their data is being used. Slack’s terms of service and data policies are complex, and the full extent of data usage for AI training may not be immediately apparent to all organizations.

Potential Misuse of Your Data

Even without a data breach, the misuse of organization data remains a significant risk (remember cases like Cambridge Analytica?). While Slack assures users that their data is anonymized and used responsibly, there’s always the possibility that data could be misused or sold in ways that are not immediately transparent to customers. Slack, which houses vast amounts of sensitive business information, could potentially be leveraged for purposes that go beyond what organizations expect. For example:

  • Monetization of Organization Data: While Slack claims to prioritize privacy, it could follow the path of other companies by selling organization data to third parties, such as marketers or analytics firms. Even anonymized data can sometimes be de-anonymized, exposing organizations’ intellectual properties as well as users to targeted advertising or even manipulation.

  • Profiling and Behavior Prediction: The data exchanged within Slack could be aggregated and analyzed to build detailed profiles of organizations and their employees. These profiles could be used to predict behavior, making them valuable for entities seeking insights into corporate strategies or industry trends.

The reality is that once data is collected, it can be used, sold, or repurposed in ways that are difficult to predict or control. As history has shown, legal data collection doesn’t always mean ethical use.

What’s at Stake: The True Cost of Convenience

The cost of using Slack is high, not only in terms of operating cost but also in data loss and, contrary to normal belief, productivity. Let’s understand what a company is giving up to use a simple messaging app:

Intellectual Property at Risk

Slack doesn’t just track conversations—it also stores every document, file, and project discussed or shared on its platform. Intellectual property, including product designs, release strategies, project plans, and other sensitive materials, are all available to Slack. This means that everything your team discusses or shares, from early-stage ideas to finalized documents, becomes part of the platform’s ecosystem. In the event of a data breach or unauthorized access, this valuable intellectual property could be exposed, putting your company’s competitive edge and future growth at risk.

Also, as evident from the previous hacks, the data stored by Slack is not even encrypted, making it low-hanging fruit for attackers.

Strategic Data Exposure

Slack captures a comprehensive view of a company’s internal structure. It knows about your team compositions, their roles, competencies, and even ongoing projects. Such information can reveal a lot about the kind of work a company is involved in, including intellectual property. Whether it’s product development, marketing strategies, or hiring plans, the data stored on Slack has a detailed blueprint of a company’s operations, ready to be exposed.

From an employee’s perspective, Slack’s ability to track their activities across channels raises privacy issues. Slack can build profiles based on a user’s interests, conversations, and engagement, which could be sold to HR or used for profiling, affecting career progression or evaluations.

The Productivity Pitfall of Slack

Slack not only hosts channels for a company but also many external channels which have no relevance to the company. When an employee opens a Slack app for a business message, they may be tempted to check other messages received on non-work channels. So while Slack is often used for improving collaboration and communication, it can ironically become a productivity killer.

The real issue is that companies have little control over this external noise. Employees are drawn into discussions that, while engaging, have no relevance to their daily tasks or company goals. With Slack becoming a single hub for both professional and personal communication, the boundary between deep work and casual interactions gets muddied, often leading to fragmented attention and reduced productivity.

Exorbitant Pricing: Why Slack’s Pricing Doesn’t Add Up

While a less serious issue than data security, it’s still worth looking at Slack’s exorbitant pricing. Slack’s pricing model can quickly become unsustainable, especially for growing companies. What starts as a seemingly affordable solution often balloons into a significant expense as teams expand. Slack’s per-user, per-month subscription model might seem reasonable for small teams but becomes costly at scale.

Furthermore, Slack charges for every active user, even if they only engage occasionally. This means that businesses are paying for users who may not be fully utilizing the platform, inflating costs unnecessarily. The high price point becomes even harder to justify when compared to alternatives like mesibo, which offers a more capable and secure platform for as little as $0.01 per user per month versus Slack’s $8 per user per month.

Moving Forward – Rethinking Slack in the Enterprise Environment

Disney’s drastic move to drop Slack from their entire workspace serves as a stark reminder that in today’s data-driven world, organizations cannot afford to use platforms like Slack without proper due diligence, and end up compromising their entire company’s data.

It’s understandable that during the chaos and uncertainty of the pandemic, companies prioritized rapid deployment over due diligence. However, as we gradually return to more stable times, organizations need to look beyond marketing hype or peer pressure and instead critically evaluate the security measures to approach workplace tool adoption. The ongoing issues with Slack serve as a stark reminder that popularity and convenience should never outweigh security and privacy concerns.

Alternative

At this moment, the most compelling alternative to Slack is mesibo. Many former Slack customers have made the switch to mesibo for their enterprise communication needs due to its unparalleled security features and cost-effective pricing model. Because of its robust security features, mesibo has been deployed in sensitive places like banks, airports, government agencies, tele-medicines, etc.

With mesibo, organizations can download and deploy the entire communication platform on their own servers, eliminating concerns about third-party access to data and enabling compliance with various data protection regulations. This level of control is increasingly vital in today’s data-driven landscape, where the risks of data breaches and unauthorized access are ever increasing. The mesibo even provides open-source Messenger having functionalities like WhatsApp/Telegram/Slack which companies can download and modify to suit their requirements.

In addition, mesibo is much more cost-effective due to its on-premise nature and zero overheads. With pricing as low as $0.01 per user per month, mesibo provides substantial cost savings compared to Slack’s $8 per user per month. This dramatic price difference, coupled with mesibo’s enhanced security features and customization options, makes it an increasingly attractive choice for businesses of all sizes.

Another key advantage of mesibo is its versatility in terms of platform support. In addition to mobile platforms, mesibo also offers robust Python and C++ APIs. This opens up a world of possibilities for integration with cutting-edge technologies. Particularly noteworthy is how this makes it trivial to integrate mesibo with RAG (Retrieval-Augmented Generation) systems and LLMs, a growing trend in AI-enhanced communication and knowledge management.

The ability to easily integrate with RAG and LLMs positions mesibo at the forefront of the evolving landscape of intelligent enterprise communication tools. Companies can leverage these integrations to create more sophisticated chatbots, implement advanced search capabilities within their communication platforms, or even develop custom AI-driven assistants tailored to their specific business needs. This flexibility not only enhances the immediate utility of the platform but also future-proofs it against the rapidly advancing field of AI in business communications.