Slack token leaking in stackoverflow and devtimes

A Shipt employee inadvertently posted a Slack Webhook URI including the authentication token on two public tech forums: Stackoverflow.com and devtimes.com. While this incoming webhook's configuration was restricted to posting in a single channel (created for testing this application) and only 2 Shipt users were in this channel, this allowed the researcher to enumerate those 2 users and post unauthorized messages as the bot associated with the Webhook. Upon receiving the report, Shipt 's security team immediately invalidated the Webhook.