Hacker News new | ask | show | jobs
by mnahkies 1660 days ago
Ideally shouldn't the credential be rolled even if you delete the message?

Unless slack hard deletes messages, but my guess would be soft deletion. Even then it's not really designed for sending sensitive credentials
2 comments
mvanbaak 1660 days ago
of course they should be rolled.

Even if slack would delete the message, clients like bitlbee and wee-slack exist, and save the messages as soon as they came in, and slack will not be able to delete them. Bots get those messages as well.

Just because the chat service deletes messages from their backend does not mean the message is deleted at the clients.

link
staticassertion 1660 days ago
Slack has no concept of a hard delete. There's always a record, as far as I know.

So yes, you'll want to: 1. Delete the message 2. Revoke the token 3. Notify the user/ security operations team

link