{"id":5700,"date":"2025-11-06T20:13:36","date_gmt":"2025-11-06T20:13:36","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5700"},"modified":"2025-11-06T20:13:36","modified_gmt":"2025-11-06T20:13:36","slug":"nikkeis-slack-breach-leaks-sensitive-data-from-more-than-17000-users","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5700","title":{"rendered":"Nikkei\u2019s Slack breach leaks sensitive data from more than 17,000 users"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Japanese media company Nikkei has confirmed that a security breach of its Slack accounts has potentially leaked highly sensitive information from more than 17,000 of its users. Consultants point to the incident as yet another reminder of the dangers when non-corporate devices are allowed to access confidential corporate data.\u00a0<\/p>\n

\u201cAn employee\u2019s personal computer was infected with a virus, leading to the leakage of Slack authentication credentials. It is believed that this information was used to gain unauthorized access to employee accounts,\u201d Nikkei said in a published statement<\/a>. \u201cThe incident was identified in September and countermeasures such as changing passwords were implemented. Potentially leaked information includes the names, email addresses, and chat histories for 17,368 individuals registered on Slack.\u201d<\/p>\n

The Nikkei statement added \u201cConsidering the incident\u2019s significance and to ensure transparency, we voluntarily reported it to [Japan\u2019s] Personal Information Protection Commission<\/a>. No leakage of information related to sources or reporting activities has been confirmed.\u201d<\/p>\n

Cybersecurity consultant Brian Levine<\/a>, a former federal prosecutor who today serves as executive director of FormerGov, a directory of former government and military specialists, stressed that this is part of an ongoing trend of Slack breaches.<\/p>\n

\u201cThere is often increased risk when employees or contractors access company resources from non-company-managed devices. Recent attacks against Okta, MGM Resorts, and others have been linked to such unmanaged access,\u201d Levine said, adding that last year, \u201can attacker exfiltrated more than [1 terabyte] of internal data from Disney\u2019s Slack environment when a contractor had accessed Slack from an unmanaged device, bypassing monitoring tools.\u201d\u00a0\u00a0<\/p>\n

Erik Avakian<\/a>, technical counselor at Info-Tech Research Group, noted that one of the most concerning things about attacks similar to the Nikkei breach is that the attackers are often able to easily bypass MFA defenses.<\/p>\n

\u201cAn employee\u2019s computer gets hit by malware designed to steal credentials. The malware grabs Slack session tokens and cookies, then sends them to attacker command and control servers,\u201d Avakian said. \u201cWith those stolen and likely active tokens, the attacker is able to log into Slack from their own device and access private channels and chat history without even triggering a multi-factor authentication prompt, since they reused an already-authenticated session.\u201d<\/p>\n

Avakian said that the nature of these attacks suggests that enterprise CISOs should consider procedural changes.\u00a0<\/p>\n

This kind of attack would give threat actors \u201cbroad access to channels and integrations, which made the impact worse. Weaknesses around this incident shine a light on unmanaged or poorly protected devices, long-lived tokens, and not enough logging or alerts for suspicious sessions,\u201d Avakian said. \u201cOrganizations can learn from these types of incident, and those using Slack, or any other widely used communications platform similar to Slack, should maintain a policy for revoking active sessions and refreshing tokens for affected users routinely, forcing password resets and rotating API tokens.\u201d<\/p>\n

Jeff Man<\/a>, a senior information security consultant with Online Business Systems, pointed out, \u201cthe larger discussion should be on the failings of the Nikkei IT\/IS program to protect against some sort of attack that targeted its employees. Why are employees allowed to use Slack on personal devices?\u201d<\/p>\n

\u201cSo this is really an issue of risk management,\u201d Man said. \u201cIn the case of Nikkei, it appears the exploitation was elsewhere [on the system]. The initial access allowed the miscreants to use credentials to gain access to Slack. That\u2019s not a compromise of Slack itself, that\u2019s a compromise of employee account authentication.\u201d<\/p>\n

Stephen Boyce<\/a>, security consultant and CEO of The Cyber Dr., said the Nikkei incident represents \u201cwhat happens when someone uses a personal device to get into work systems. Once that device gets hit with malware, it\u2019s game over for the credentials. The part that worries me is this could happen anywhere. People forget how much sensitive stuff ends up in Slack: messages, files, links, sometimes even credentials. Once someone has that, they can poke around pretty freely.\u201d<\/p>\n

\u201cTo me, it\u2019s just another reminder that zero trust has to go all the way out to the edge, not just the network. You\u2019ve got to know the device, use MFA tied to managed hardware, and control what data lives in those SaaS tools,\u201d Boyce said. \u201cYou may be also asking \u2018Well, do we do away with BYOD all together?\u2019 And the short answer is \u2018no\u2019 but we do need to look at ways we can secure the workforce beyond company issued assets.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Japanese media company Nikkei has confirmed that a security breach of its Slack accounts has potentially leaked highly sensitive information from more than 17,000 of its users. Consultants point to the incident as yet another reminder of the dangers when non-corporate devices are allowed to access confidential corporate data.\u00a0 \u201cAn employee\u2019s personal computer was infected […]<\/p>\n","protected":false},"author":0,"featured_media":5701,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5700","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5700"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5700"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5700\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5701"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}