Skip to main content

Slack now lets you DM anyone — and that's a problem

Slack connect dms
(Image credit: Shutterstock)

Slack is going to start letting its users direct-message people outside of their company with the new Slack Connect DMs feature.

The service was originally announced back in October, but it’s only just started rolling out. The goal is to ensure companies working with partners or clients can communicate, though there are so many more possibilities than that.

However, it could also be regarded as a bad move, much like how publishing your personal email address on 4chan could be considered a very bad idea.

Connect DMs functions through Slack’s Connect feature, which launched last year and was built to help businesses collaborate through shared channels. Adding DMs into the mix is the latest part of that. 

The good news is that it’s not like email or text messaging, where anyone can send you a message provided they have the right address. 

Connect DMs work by sending a special link and force both sides to start the shared conversation. Depending on how a business has set up their Slack channel, it may require admin approval as well.

Connect DMs could have security and privacy issues

A lot of the outrage against this feature on Twitter has focussed on the risk of abuse and spam that stems from letting outsiders send messages to private Slack channels. Those concerns are because Slack has no options to block or report other users.

See more

But there are, rightfully, concerns about security and privacy, such as the fact that Slack doesn’t encrypt your messages, and stores them indefinitely. That includes direct messages, which can be accessed archived and exported if your employer has a Slack Plus plan

That will likely include direct messages sent between companies, and presumably those conversations would be available to admins on both sides.

But personal privacy isn’t the only issue, because it could expose company’s sensitive information.

Remember the big Twitter hack from last year? The one that had celebrities tweeting out an almost-identical Bitcoin scam? 

According to a New York Times investigation, it all happened because a hacker managed to get into Twitter’s private Slack channel. Once there “Kirk”, as he was known, was able to access a service that gave him access to Twitter servers. Access that was then reportedly used to launch the crypto scam.

The story hasn’t been confirmed by Twitter, which declined to comment at the time. But it does go to show how something could go wrong if you give private Slack access to someone with nefarious intentions. 

Last week, an 18-year-old Florida man was sentenced to three years in prison for the hack, which took place while he was a juvenile. Florida authorities said he convinced a Twitter employee that he also was a Twitter employee and deserved access to Twitter's internal systems.

Connect DMs won’t give outsiders unfettered access to a private Slack channel, but it does mean there's another potential hole in security. Slack may not be the most obvious target for hackers, but we’ve already seen what can happen if they manage to access the wrong conversations. So Slack admins take note.

Slack Connect DMs is rolling out to paid users today, and will eventually come to free users “soon”.

Tom's Guide needs you!

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window <<

Tom Pritchard

Tom covers a little bit of everything at Tom’s Guide, ranging from the latest electric cars all the way down to hot takes on why Christopher Nolan is wrong about everything. Appliances are also muscling their way into his routine, which is a pretty long way from his days as Editor at Gizmodo UK. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining that Ikea won’t let him buy the stuff he really needs online.