Chat service Slack has filed an official complaint against Microsoft with the European Commission. According to the business chat app, Microsoft is guilty of unfair competition, because it bundles Teams with its Office 365 tools. Simultaneously, Slack is fighting a few battles closer to home. Last week’s Twitter hack seems to have been caused by a hacker gaining access to Twitter’s Slack account. Just days later, security researchers discovered an abundance of Slack credentials being sold online.
Slack files Competition Complaint Against Microsoft
The complaint in the EU concerns Microsoft Teams, a chat program that, like Slack, is widely used in the (home) workplace. When a consumer purchases and installs Office 365 – the usual software package on a Windows computer – Teams is automatically included. Moreover, the installation of Teams is irreversible.
According to Slack, this means that Microsoft “exploits its market dominance to eliminate competition”. Microsoft is forcing “millions of users to install it”. By bundling the app, the tech giant also manages to hide the real cost. As a result, Slack and similar services are being sidelined. After all, users are less likely to purchase another chat or video calling product when they already have one installed.
Both apps are widely popular due to the corona virus crisis. Slack recorded 12 million paying users in the last quarter. Microsoft counted 75 million users worldwide back in April. If the complaint indeed results in an investigation, Microsoft risks huge fines. Slack hopes the European Commission will force Microsoft to sell Teams as a separate product.
Hackers Used Slack to Breach Twitter
In the meantime, Slack is confronted with a few lingering issues closer to home. One of them being questions surrounding Slack privacy flaws and previously identified security risks, such as “hackers getting access to customer Slack accounts”. Back in April 2019, when Slack was preparing to go public, the company included “unauthorized access, resulting in the disclosure of API keys, passwords and other data”, in their risk analysis.
Unfortunately, this seems to be exactly what happened in the lead-up to the high-profile Twitter bitcoin scam. On its support page Twitter, immediately revealed the hack to be the result of a “coordinated social engineering hack by people who successfully targeted some of our employees with access to internal systems and tools”.
Reporters are trying to piece together how the unprecedented attack could have unfolded. Several people involved in the attack spoke with The New York Times. The article unravels how a young hackers’ online conversation quickly spiraled out of control when a user known as ‘Kirk’ found a way into Twitter’s internal Slack messaging channel. There he allegedly discovered Twitter credentials and consequently managed to gain access to internal Twitter administrative tools. Twitter declined to comment, citing the active investigation.
17,000 Slack Credentials Being Sold Online
Following last week’s Twitter hack, cyber intelligence security firm KELA decided to scour the cybercrime market for Slack credentials, to see how popular they would be among cybercriminals. As Slack is growing in popularity, it is indeed a possibility that it is becoming a more attractive target to hackers.
“The supply side of the equation is clear. Any actor interested in Slack logins can easily find them in automated markets that sell credentials stolen via infostealers or banking trojans. Querying KELA’s vast databases of credentials offered on these markets, KELA found more than 17,000 Slack credentials offered for sale – starting at $0.50 and going all the way up to $300 per bot.
Despite the large number of Slack credentials available, hackers haven’t been that interested, “suggesting there is no active interest in targeting Slack among cybercrime communities”. The likely reason is that Slack is a standalone tool, unlike Teams or Hangouts. The two latter applications are linked to Microsoft 365 and G Suite respectively. Also, its channels rarely contain useful information. Therefore, most of the time, gaining access is a waste of the time. Hopefully Twitter was just an exception.