The vulnerability applies to only free versions of the app, but with an estimated 8 million daily active users and only 3 million using the paid version, according to a 2018 Techcrunch article — you do the math. OK, we’ll do the math: That’s potentially 5 million users’ messages sitting on servers just waiting to be hacked.

Slack security alert

In papers filed with the U.S. Securities and Exchange Commission (SEC), Slack said that it faces threats from “sophisticated organized crime, nation-state, and nation-state supported actors.” Plus, the company acknowledged that its security measures “may not be sufficient to protect Slack and our internal systems and networks against certain attacks,” and that it is “virtually impossible” for the company to completely eliminate the risk of a nation-state attack. That is some pretty scary stuff, as it may put sensitive data about a company, personal data or intellectual property in the hands of some very unsavory characters. This is a threat to national security. Currently, Slack stores by default everything you do on its platform, which means your username and password, every message and confidential information. The problem is that the data is not end-to-end encrypted. That means Slack can read it and hackers can break into the app and steal it. If you have purchased Slack’s premium service, you can change your settings to reduce how long your messages stay on the app and automatically delete old messages. But if you are using the free service, you don’t get that choice.    

Security solution for Slack’s vulnerability

On the free version of the app, Slack allows your team to post 10,000 messages for free. A message can be a single word or a lengthy post. Once you hit 10,000 words, messages get archived on a first-in-first-out basis. Slack says they do this so that customers who use their free version can have access to older messages and files once they upgrade to the paid version. They also limit file sharing to 5 GB free. Once you exceed that 5 GB, your older files are swept off your collaboration space into a server, and if you need to access them, you can upgrade. It’s actually not a bad deal — try the web-based app out for a while, send 10,000 messages or 5 GB of content around your team, and if you like Slack you can upgrade to the paid version, which starts at $6.67 per user. Let’s do some quick math: If 5 million free users collaborate to exchange more than 10,000 messages with their teams, that’s billions and billions of records just sitting on Slack’s servers. Thousands of messages sitting in servers. What could possibly go wrong? Slack issued a statement to the media and said, “We take the security and privacy of our customers’ data very seriously, and have received internationally recognized privacy and security certifications for information security management and protecting personal data in the cloud. All Slack customers — including customers on free teams — can manually delete messages at any time.” Right. You can delete your messages any time, as long as you don’t go over 10,000 or 5 GB of file storage. Get it? You have to pay.

So, who’s telling the truth? And what do you do?

There’s really nothing wrong with Slack’s policy of limiting free use to 10,000 messages and 5 GB of data. What’s wrong is that they don’t offer the same protection from hacks to their free workspace customers as they offer to their paid customers. If you’ve used a free version of Slack, you can pay to upgrade your account, then delete all your messages (or enjoy the paid version of the collaboration app). Standard licenses start at $6.67 per user. Your Slack channel’s administrator or “Org Owner” can log into your workspace administration panel to monitor not only the number of messages your team has exchanged but also how close you are to the 10,000 message/5GB space limit.