Release 3.1Security

Credential Exposure in Slack

Plaintext login credentials shared in team communication channel

Finding

On 5 February, a team member shared a production login email and password in plaintext within the Slack channel during debugging.

Severity: High

Details

The shared credentials included:

A production ordering portal email address
A plaintext password
The production URL where the credentials could be used

The credentials were shared in the context of asking Matt to test a specific project view, offering a test account for verification purposes.

Risk

Slack message history is persistent and searchable
Channel members (current and future) have access to the credentials
If the credentials provide elevated access, this could enable unauthorised actions
The password pattern suggests it may be a common/weak password

Recommended Actions

Immediately rotate the exposed password
Audit the account for any unauthorised activity since exposure
Remind the team that credentials should never be shared in Slack - use a secure credential manager or direct secure channel
Consider implementing credential scanning on Slack to flag plaintext passwords

Security Observations

Security-relevant findings from the stabilisation period

Unauthorised Portal Access

User accessed Ordering Portal without authorisation due to session enforcement gaps

On this page

Finding Details Risk Recommended Actions