You may have heard some news earlier today about Slack’s sign in process. The concerns that have been raised are really important to us, so we wanted to clarify how things work, why, and changes you can expect to see in the future.
We want to be very clear: no private user data was exposed on our sign-in pages, or anywhere else. No files were visible. No message content was viewable. No private communications were revealed. We take privacy and security very seriously.
The most prominent concern is that during the sign in process, the names of all the teams associated with a particular email domain have been visible before signing in. There has been a good deal of confusion about this, and confusion is bad, so we’d like to clear some things up.
The ability to view team names that relate to a particular team’s email domain or individual’s email address was a feature designed to make it easy for our users to find and access teams. Many people who use Slack have enabled team discovery via email domain. Team owner(s) control this setting. It allows anyone using a particular email domain to see all the teams that have enabled the self-signup process for that domain. This helps larger teams get up and running faster since the administrator doesn’t have to send out individual invitations to each and every person. The majority of Slack users see team names on their sign-in screen when they sign in.
To break this down a bit more: when a team is created, team owners have the option to allow anyone using a particular email domain (for example: anyone@MyCompanyNameHere.com) to view and sign up to join that team. If a team is using that preference, then team names associated with an email domain were visible (even with an unauthenticated email address or domain). While consistent with the team owner’s settings for that team, it was far from ideal.
Team owners can also set the preference more narrowly so that new members may only join with an explicit invitation, which does not make the team name visible to everyone at that domain. These settings are under the owner’s control, and can be changed by them at any time.
As companies have added more and more Slack teams, we’ve realized the sign-in process, designed to make team communication faster and easier, has itself become cumbersome. When there was a small number of teams using Slack, it was a quick and easy way for new members to find their teams. With tens of thousands of active teams, the giant list of possible teams you can join is more confusing than helpful.
We are in the final stages of a redesign which streamlines this process and also adds support for single sign-on (SSO) though multiple identity and directory providers in order to give teams more direct control over authentication and team membership. We are working hard to push those changes out quickly, and feel it will address these concerns in a holistic way — in fact, we’ve already rolled out the new sign-in pages on desktop (you might notice that these pages have a slightly different look since they are using the new design for team sites).
In the meantime, we are clarifying our language about this setting so it’s very clear to team owners and administrators that team names are discoverable in this manner and are communicating to our users how they can change this setting or any of their team names.
At Slack, we pride ourselves on listening to our users. We also want to take the time to make sure we understand a concern so we can address it properly and thoroughly. We take security and privacy issues very seriously. Specifically, at Slack we:
- Have undergone multiple audit and certification processes, and are are in the process of completing more (EU Safe Harbour, SOC 2 compliance, TRUSTe certification, and so on).
- Have one of the industry’s most active bug bounty programs and actively engage with the security research community to maintain a high level of active scrutiny.
- Have full-time staff dedicated to security as well as policy, compliance, and regulatory issues. We are also growing the team quickly to add more capacity.
- Have engaged independent security firms for ongoing review of our service design and regular penetration testing.
We encourage all security researchers to use our responsible disclosure policy, which is outlined at https://slack.com/whitehat
Hundreds of thousands of people rely on Slack for their team’s communication on a daily basis. We are absolutely committed to providing a quality of service that continually exceeds our customers’ expectations.
This was a long post: not because we wanted to overwhelm you with detail, but because transparency is, and always has been, important to us. Thank you for reading it.