Japanese media conglomerate Nikkei Inc. on Tuesday disclosed a data breach that exposed data and chat histories for more than 17,000 employee Slack accounts.
Nikkei, based in Tokyo, owns several newspapers, television stations, and media outlets, including the Financial Times. In its breach disclosure, the company said an "unauthorized external login" occurred in its Slack workspace.
"An employee's personal computer was infected with a virus, leading to the leakage of Slack authentication credentials," the disclosure read, via Google Translate. "It is believed that this information was used to gain unauthorized access to employee accounts. The incident was identified in September, and countermeasures such as changing passwords were implemented."
The breach highlights once again how corporate communications platforms represent potentially rich attack surfaces for threat actors.
One Compromised Account, Many Impacted Users
The compromise of a single employee Slack account led to reams of internal data getting exposed to attackers. "Potentially leaked information includes the names, email addresses, and chat histories for 17,368 individuals registered on Slack," Nikkei said in a statement.
The company said both employees' and business partners' data were affected by the breach, though it's unclear how many third parties were impacted. Dark Reading contacted Nikkei for comment but the company did not respond.
Related:Iran's Elusive "SmudgedSerpent' APT Phishes Influential US Policy Wonks
It's also unclear what other kinds of information and data may be contained in those chat histories. Cybersecurity experts this year have warned about sensitive data such as trade secrets potentially being exposed in resources beyond code repositories and development environments, such as Salesforce instances and Slack channels.
Nikkei also stated that no leakage of information related to journalist sources or reporting activities had been confirmed. The company also emphasized that personal information used for reporting and writing is not subject to Japan's laws for personal information protection.
... continue reading