Researchers showed Slack AI could be tricked into leaking data from private channels
Security firm PromptArmor disclosed that Slack AI could be manipulated through indirect prompt injection: instructions planted in a public channel could cause the assistant to surface data from private channels, including secrets, to an attacker who never had access.
Instructions planted in a public channel could make the assistant surface secrets from private channels.
Key facts
- What
- Security firm PromptArmor disclosed that Slack AI could be manipulated through indirect prompt injection: instructions planted in a public channel could cause the assistant to surface data from private channels, including secrets, to an attacker who never had access.
- Incident date
- Aug 20, 2024
- Who
- Slack (Salesforce)
- Failure mode
- Prompt Injection
- AI surface
- Copilot
- Severity
- High
What happened
In August 2024 researchers at PromptArmor showed that Slack AI, which answers questions over workspace messages, could be steered by instructions hidden in a public channel to reveal information from private channels the attacker could not see, including API keys, by abusing how the assistant retrieved and summarized content.
What broke inside the model
- 01 · TriggerThe model reads retrieved or user-supplied text.
- 02 · Model stepThat text carries hidden instructions.
- 03 · Control gapNothing separates untrusted data from trusted commands.
- 04 · FailureThe injected instruction overrides the operator's.
- 05 · ConsequenceThe system acts on an outsider's intent.
At the injection point, retrieved text overrides the operator's instruction.
Untrusted content (an email, a document, a retrieved page, a tool result) was read as if it were a trusted instruction. The model has no built-in separation between the operator's instructions and the data it ingests, so attacker text in the data channel became commands the model followed.
What it cost
Disclosed data-exfiltration technique against an enterprise AI feature
Sources
- PressHow a Prompt Injection Vulnerability Led to Data Exfiltration (HackerOne)hackerone.com
- PressData Exfiltration Via AI Prompt Injection (PurpleSec)purplesec.us
Cite this entry
https://failureindex.ai/failures/researchers-showed-slack-ai-tricked-leakingAI Failure Index. "Researchers showed Slack AI could be tricked into leaking data from private channels" (FI-0049). Realm Labs. https://failureindex.ai/failures/researchers-showed-slack-ai-tricked-leaking (indexed Jun 3, 2026).Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0049. Full dataset at /data.
Note from Realm Labs, the Index steward
How Realm would have caught this
- Prism
- OmniGuard
Realm inspects the model's internal state for the signature of instructions arriving through the data channel, so an injected command can be flagged and blocked inline before the model acts on it, instead of trusting a classifier that scores the input as safe.