The New York Times is reporting that the recent hack of high profile Twitter accounts started by unauthorized users gaining access to a Slack channel where the credentials to log in to the back end Twitter systems were posted. So Twitter employees are sharing credentials. Its not clear, at that moment anyway, how the malicious individuals gained access to the Slack channels. What is learn that if you use Slack, you need to take a hard look at your Slack settings and what your users are doing in Slack.

This begs the question of why credentials are being shared openly among users in Slack channel in violation of the most basic security policies. In short, why are you sharing an account to gain access to the back end systems? When you have a whole pool of people who are responsible, then no one is. Its leads to situations where there is no accountability and people can do anything without repercussions.

At a guess, the system was designed by developers who were not thinking about security. Its entirely possible that there is only one set of credentials that works to attach to the back end systems that run Twitter. I have seen similar “design flaws” in other systems. This is precisely why making the change to DevSecOps is important.