An unprotected AI service is streaming private Slack messages online

News
By
published

The tool's owners have been notified, but it hasn't addressed the flaw yet

A person at a laptop with a cybersecure lock symbol floating above it.
(Image credit: Shutterstock / laymanzoom)
  • Cybernews team find an AI-powered Slack tool is leaking data online
  • GitLab commits and Slack Huddle conversations are being exposed
  • The company was notified, but hasn't reacted yet

Cybersecurity researchers have discovered an AI tool for Slack is leaking private user data, including chat messages and other communication.

The tool is called Struct Chat, and is designed to enhance productivity within Slack. It offers features such as organizing and summarizing threads, answering questions, and generating newsletters, and costs $29.95 per month.

In mid-October 2024, the Cybernews researchers found a “company-owned unprotected web service” streaming user data. The exposed instance was an Apache Kafka Broker, a real-time distributed message streaming platform.

Taking appropriate action

As the researchers explained, this platform acted as a central hub for moving data between different applications. As such, it handles large amounts of data and is a popular target.

“While observing the data stream for a brief period, we encountered examples of GitLab commits, Slack Huddle conversations, and data from other services. This enables threat actors to track and read messages and other events in real-time and extract sensitive company and personal information without any restraints,” the researchers said.

Here is the full list of exposed information:

  • Tokens, IDs, first and last names
  • Email addresses
  • Conversations with other users and the bot AI, timestamps
  • Internal team names and other general information
  • Event data and type (what the user is doing, for example, updating Slack profile)
  • Links to pipelines, internal URLs, CD/CI (Continuous Integration and Continuous Deployment) statuses

Allegedly, the company developing this tool, also called Struct Chat, was notified about the findings multiple times. However, as of January 27, the leak has not yet been addressed.

“In one hour, the unprotected instance transmitted data from over 1,000 unique users from 200 unique companies. This leak can easily be exploited to gather users' personally identifiable information, such as full names, email addresses, chats, and other internal communications, various internal links and resources,” Cybernews researchers concluded, urging all users to be careful and “take appropriate action”.

Via Cybernews

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A person using DeepSeek on their smartphone
DeepSeek security breach - critical databases exposed, more than one million records reportedly leaked
Shadowed hands on a digital background reaching for a login prompt.
Private API keys and passwords found in AI training dataset - nearly 12,000 details leaked
Data Breach
Thousands of widely-used public workspaces are leaking data
Data leak
AI development service Builder.ai potentially exposed over 1TB of user data
Stress
Time tracker tool spilled details on remote workers - millions of screenshots leaked
hacker.jpeg
Thousands of GitHub repositories exposed via Microsoft Copilot
Latest in Security
Webex by Cisco banner on a Chromebook
Cisco warns some Webex users of worrying security flaw, so patch now
Red padlock open on electric circuits network dark red background
AI-powered cyber threats are becoming the biggest worry for businesses everywhere
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
Red padlock open on electric circuits network dark red background
Aviaton firms hit by devious new polyglot malware
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Image of laptop infected with malware
Ransomware criminals are now sending their demands...by snail mail?
Latest in News
A hand holding a phone showing the Android Find My Device network
Android's Find My Device can now let you track your friends – and I can't decide if that's cool or creepy
Insta360 X4 360 degree camera without lens protector
Leaked DJI Osmo 360 image suggests GoPro and Insta360 should be worried – here's why
A YouTube Premium promo on a laptop screen
A cheaper YouTube Premium Lite plan just rolled out in the US – but you’ll miss out on these 4 features
Viaim RecDot AI true wireless earbuds
These AI-powered earbuds can also act as a dictaphone with transcription when left in their case
The socket interface of the Intel Core Ultra processor
Intel unveils its most powerful AI PCs yet - new Intel Core Ultra Series 2 processors pack in vPro for lightweight laptops and high-performance workstations alike
An Nvidia GeForce RTX 5070
Nvidia confirms that an RTX 5070 Founders Edition is coming... just not on launch day
More about security
Webex by Cisco banner on a Chromebook

Cisco warns some Webex users of worrying security flaw, so patch now
Image of laptop infected with malware

Ransomware criminals are now sending their demands...by snail mail?
A person holding out their hand with a digital AI symbol.

The decision-maker's playbook: integrating Generative AI for optimal results
See more latest
Most Popular
Thanko monitor
At 11lbs, this double 24-inch 'portable' monitor is a bit too much for me but I love the audacity
Rocket Enterprise SSD
Sabrent launches its first 30.72TB SSD, but like all the others, you won't be able to run it on your PC (or buy it on Amazon)
Volkswagen ID.EVERY1 Concept Car
Volkswagen reveals the ID.1 concept car, which will spawn its cheapest all-electric model to date
Eurocom Raptor X17
This $12,000 laptop comes with 24TB RAID-0 SSD storage, 128GB of RAM, and Intel's most powerful mobile CPU - but no Nvidia RTX 5090M GPU
BYD Ling Yuan DJI Drone launcher
BYD’s new roof-mounted DJI drone launchpad looks like a dream for filming road trips – but less so for car safety
An AI face in profile against a digital background.
'Simulating scientists': A new AI tool wants to make serendipitous scientific discovery less human
A hand holding a phone showing the Android Find My Device network
Android's Find My Device can now let you track your friends – and I can't decide if that's cool or creepy
Webex by Cisco banner on a Chromebook
Cisco warns some Webex users of worrying security flaw, so patch now
A YouTube Premium promo on a laptop screen
A cheaper YouTube Premium Lite plan just rolled out in the US – but you’ll miss out on these 4 features
Viaim RecDot AI true wireless earbuds
These AI-powered earbuds can also act as a dictaphone with transcription when left in their case