05.11.2025
4 min
520
Hackers have gained access to the internal systems of Japanese media giant Nikkei through an employee’s Slack account after infecting his computer with malware. As a result, the attackers stole business partner data and chat history of at least 17,368 Slack users, creating a significant risk of further phishing attacks and espionage.
Nikkei, Japan’s largest financial media and owner of the Financial Times, reported that corporate systems were compromised through an employee’s Slack account. The infection of the PC allowed hackers to steal Slack credentials and use them to access corporate chats and internal accounts.
The incident occurred in September, but the company has only now publicly announced it. The leak affected the names, email addresses and communication history of employees and partners. While Nikkei assures that the data of journalistic sources was not affected, the scale of the leak poses significant risks.
Security experts note that the attack implements a modern scenario:
endpoint infection
credential theft
access to SaaS platform
hidden presence, imitating legitimate users
Experts warn: attackers can use stolen chat logs for targeted phishing campaigns and social engineering. The leak of Slack correspondence provides insider context, trust chains and business processes – ideal soil for future attacks.
Slack, like other cloud platforms for corporate communications, is becoming a critical element of business infrastructure. The increase in the number of attacks on SaaS services shows the transition of hackers from traditional network hacking to the “live as a legitimate user” model.
Nikkei is a global media company with hundreds of journalists in 51 bureaus around the world. The scale of its infrastructure and the number of partners make the incident important not only for the media market, but also for corporate cybersecurity in general. The company voluntarily notified the Japanese regulator and announced that it is strengthening its data controls.
This incident demonstrates a key trend in cyberthreats — the breach starts at the endpoint, and the real target is SaaS access and internal communications. Slack and similar platforms are becoming more than just tools for work, they are entry points. Organizations should implement:
access control and MFA
anti-exfiltration systems
EDR/EDP on endpoints
phishing and SaaS hygiene training
The real damage often begins not with data loss, but with what that data allows attackers to do afterwards.
