tl;dr:“Slack’s strategy has always been to anticipate and mitigate threats before they can impact our users. We have been continuously scanning the internet using regular expressions tailored to the specifics of our tokens and webhooks to find any that are publicly accessible. Oftentimes these secrets get inadvertently exposed when they get hard-coded into development code and then published somewhere like GitHub. Since these secrets provide varying levels of access to a user’s workspace, our tooling automatically and immediately invalidates tokens and webhooks upon discovery and notifies their respective owners.”