Notifying the Transmute Community
Default Slack Setting Lead to Unwanted Exposure
This post is to notify our community that email addresses and names in our slack community were temporarily exposed. The issue was reported privately to us, but we wanted to share what happened, the timeline, and our sincere apologies for not initially configuring our slack community correctly.
We have an open slack channel to facilitate efficient communications to and among our open source community and customers. In this case, the default slack security settings combined with our intention to be open exposed our community in a way we never intended. We apologize for this oversight, and we greatly appreciate our community notifying us. Rest assured, the issue has been resolved.
As you can read here, other slack communities have been impacted by this far worse than ours, and this will continue without opting out of the default setting described below.
We have no reason to believe that the community email addresses were harvested, and are being targeted. Nonetheless, we take even a potential breach extremely seriously.
Resolution Timeline
April 24th — We received a report that our slack supported legacy tokens, and that they could be used to reveal community email addresses.
April 24th — We locked down slack permissions by opting out of the default setting in question. You can find this setting in your own Slack community by navigating to the admin dashboard > Settings & Permissions > scroll to the middle of the section until you find “Email Display” > expand the section and uncheck the box for displaying your community’s email addresses.
April 30th — We further resolved the issue by enabling “Approve Apps,” as noted here, revoking existing tokens.
