Slack A.I CyberSecurity Scoring
Slack
Company Information
Website:https://slack.com/
Employees number:2,964
Number of followers:1,723,517
NAICS:513
Industry Type:Technology, Information and Internet
Homepage:slack.com
Slack Risk Score (AI oriented)
Between 650 and 699
SlackTechnology, Information and Internet
Updated:
04/05/2026
04/05/2026
683/1000
Weak
B
Slack Global Score (TPRM)
xxxx
SlackTechnology, Information and Internet
Score locked

SlackWeak
Current Score
683B (WEAK)
01000
4 incidents
-41.5 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
689
JUNE 2026
687
MAY 2026
683
APRIL 2026
682
MARCH 2026
759
Breach
20 Mar 2026 • Slack
Notion, Slack, Google, Zoom, Nikkei and Workday: Your work apps are quietly handing 19 data points to someone
Workplace Apps Collect Extensive User Data, Raising Privacy and Security Concerns
680
CRITICAL-79
WORNOTGOOZOONIKTIN1777868873
Workplace Apps Collect Extensive User Data, Raising Privacy and Security Concerns
A recent study by Incogni, analyzing data from the Google Play Store as of March 20, 2026, reveals that ten widely used workplace apps including Gmail, Microsoft Teams, Zoom Workplace, Slack, and Notion collect an average of 19 data points per app, with some sharing sensitive information with third parties. These apps, cumulatively downloaded over 12.5 billion times, are integral to U.S. corporate operations but pose significant privacy and security risks.
Data Collection and Sharing Practices
Gmail leads in data harvesting, collecting 26 distinct data types, including approximate location, app interactions, and user IDs for advertising. Microsoft Teams and Zoom Workplace follow closely, with 25 and 23 data types, respectively both uniquely gathering precise location data. Six of the ten apps, including Slack, Notion, and Zoom Workplace, use collected data for marketing, with Slack, Todoist, and Notion specifically harvesting employee email addresses for this purpose.
Notion stands out for its outbound data flow, sharing eight data types such as email addresses, names, and device IDs with third parties, including advertising partners. The app’s privacy policy permits tracking tools on user browsers, raising concerns over the exposure of sensitive workspace content like HR records and client data. Regulatory scrutiny has intensified, particularly after the EU’s Data Protection Board tightened GDPR requirements in December 2024 regarding personal data use in AI training, directly impacting Notion’s third-party model integrations.
Security Vulnerabilities and Breach History
Most apps in the study have a history of breaches. In January 2026, a 96-gigabyte database containing 149 million login credentials 48 million tied to Gmail was exposed, attributed to infostealer malware on user devices. Slack suffered a November 2025 breach where attackers used stolen credentials to access accounts of over 17,000 Nikkei employees, exposing names, emails, and chat histories. Trello, Zoom, and Microsoft products have also faced incidents, with Trello data appearing for sale in January 2024.
Workday is the only app in the analysis without a user data deletion option, despite holding employment records and payroll details. In August 2025, the platform confirmed two breaches linked to its Salesforce CRM, where attackers obtained business contact information as part of a ShinyHunters social engineering campaign.
BYOD Risks and Platform Disparities
Many employees install these apps on personal devices, exposing contact details, financial data, and location information to advertising networks or corporate administrators. Slack, for example, lacks end-to-end encryption, allowing workspace owners to access direct messages and private channels. While the study focuses on Google Play data, Incogni notes that iOS disclosures may differ, though past comparisons suggest similar privacy practices across platforms.
The findings highlight the trade-offs between workplace productivity and data exposure, with recurring breaches and extensive tracking underscoring the risks of integrating these tools into daily operations.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
FEBRUARY 2026
758
JANUARY 2026
757
DECEMBER 2025
756
NOVEMBER 2025
764
OCTOBER 2025
759
Vulnerability
28 Oct 2025 • Slack
Slack
Slack Wikipedia Link Rendering Glitch Enables Malware Distribution
755
MEDIUM-4
TIN0344703102825
Cybersecurity researchers uncovered a vulnerability in Slack’s link-rendering mechanism, where improper spacing between punctuation and text (e.g., `face.book`) could be exploited to generate deceptive hyperlinks. Attackers manipulated Wikipedia articles by inserting maliciously formatted footnotes, tricking Slack into displaying fake links in preview panes. These links, when clicked, redirected victims to malware-hosting sites. Over 1,000 Wikipedia pages were identified as potential vectors. The attack required prior access to a victim’s Slack workspace (e.g., via compromised accounts) and relied on social engineering to lure clicks. While no direct data breaches or financial losses were confirmed, the flaw exposed users to phishing and malware risks, undermining trust in Slack’s platform security. The issue also highlighted broader concerns about Slack’s third-party app integration policies, which could amplify attack surfaces. No evidence suggested large-scale exploitation, but the method’s simplicity and reliance on trusted sources (Wikipedia) increased its potential effectiveness.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
SEPTEMBER 2025
758
AUGUST 2025
757
JUNE 2024
760
Cyber Attack
01 Jun 2024 • Slack
Context.ai, OpenAI, Slack and GCP: The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables
Multi-Stage OAuth-Based Attack Chain Targeting Organizations
744
CRITICAL-16
GCPTINOPETHE1776717501
Cybersecurity Alert: Detection Logic for a Multi-Stage OAuth-Based Attack Chain
A recent cybersecurity advisory outlines detection strategies for a sophisticated attack chain targeting organizations via compromised OAuth applications, internal system access, and credential abuse. The threat actors exploited a known-bad OAuth Client ID (110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com) linked to the Context.ai application, enabling unauthorized access to Google Workspace environments.
### Key Attack Stages & Detection Patterns
1. OAuth Application Anomalies (Stages 1–2)
- Token Abuse: Alerts should trigger on token refresh/authorization events tied to the compromised Client ID.
- Over-Permissioned Apps: Review OAuth apps with broad scopes (e.g., full mail/Drive access) and revoke unused or unauthorized applications.
- Token Theft Indicators: Flag token usage from IPs outside expected corporate or vendor CIDR ranges.
2. Internal System Access & Lateral Movement (Stage 3)
- SSO/SAML Anomalies: Monitor identity provider logs for suspicious authentication (e.g., unfamiliar IPs, geolocations, or first-time access to internal tools like Vercel, CI/CD platforms).
- Credential Harvesting: Detect bulk email searches (e.g., "API key," "secret," "password") and unusual Drive file access (e.g., credential stores, engineering docs).
- OAuth-Connected Tool Abuse: Track downstream services (Slack, Jira, GitHub) for off-hours or anomalous API activity tied to compromised accounts.
- Privilege Escalation: Watch for unauthorized permission requests, group membership changes, or admin console access.
3. Environment Variable Enumeration (Stage 4)
- Vercel Audit Logs: Baseline normal deployment activity to detect unusual environment variable access (e.g., high-volume reads, user-driven queries instead of service accounts).
4. Downstream Credential Abuse (Stage 5)
- Exposed Credentials (June 2024–April 2026): Audit logs (AWS CloudTrail, GCP/Azure audit logs, SaaS APIs) for usage from unexpected IPs or inactive time windows.
- Immediate Response: Rotate compromised credentials and investigate attacker actions.
5. Third-Party Leak Notifications
- Automated Alerts: Monitor leaked-credential notifications from GitHub, AWS, OpenAI, Stripe, and other providers treating platform-specific leaks as potential compromise indicators.
### Impact & Scope
The attack chain highlights risks from OAuth abuse, lateral movement via trusted identities, and credential theft from deployment platforms. Organizations are advised to implement SIEM detection rules (Sigma, Splunk, KQL, etc.) tailored to their log schemas to identify and mitigate these threats. The exposure window for affected credentials spans June 2024 to April 2026, emphasizing the need for proactive monitoring.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
JUNE 2022
802
Breach
16 Jun 2022 • Slack
Slack
Slack GitHub Code Repository Breach
742
CRITICAL-60
SLA1946123
Slack suffered a security incident that affected some of its private GitHub code repositories.
The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world.
The breach happened on December 31st, 2022.
The threat actors gained access to Slack's externally hosted GitHub repositories via a limited number of Slack employee tokens that were stolen.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Slack ??
What was Slack's A.I Rankiteo Cyber Score in June 2026 ??
What was Slack's A.I Rankiteo Cyber Score in May 2026 ??
What was Slack's A.I Rankiteo Cyber Score in April 2026 ??
What was Slack's A.I Rankiteo Cyber Score in March 2026 ??
What was Slack's A.I Rankiteo Cyber Score in February 2026 ??
What was Slack's A.I Rankiteo Cyber Score in January 2026 ??
What was Slack's A.I Rankiteo Cyber Score in December 2025 ??
What was Slack's A.I Rankiteo Cyber Score in November 2025 ??
What was Slack's A.I Rankiteo Cyber Score in October 2025 ??
What was Slack's A.I Rankiteo Cyber Score in September 2025 ??
What was Slack's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Slack's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Slack ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Slack's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?