Cover image for Stop Sending Secrets in Slack: A Developer's Guide to Sharing Sensitive Information Safely

Stop Sending Secrets in Slack: A Developer's Guide to Sharing Sensitive Information Safely

LinkPilot Team
8 min read

At some point in your developer career, you've done one of these:

  • Sent an API key in a Slack DM because it was the fastest way
  • Pasted a database password into an email thread
  • Dropped credentials into a shared Google Doc for a teammate
  • Screenshot a secret and texted it to someone

We all have. These feel harmless in the moment — it's just a quick share between trusted people — but they create real, durable security exposure that's easy to avoid once you understand the problem.

This post is about why these habits are riskier than they look, what actually happens to sensitive information shared through common channels, and the practical alternatives that take as little time as the bad habits.

The Problem With "Trusted Channel" Thinking

The instinct behind most insecure credential sharing is reasonable: you trust the person you're sharing with, and the channel feels private. Slack DMs feel private. Email feels private. A shared doc with restricted access feels private.

The flaw in this thinking is that "trusted" and "secure" are different properties of a channel, and most communication tools optimize for the former while having significant gaps in the latter.

Slack logs everything. Depending on your workspace plan, every message — including DMs — is potentially accessible to administrators, retained in audit logs, and available in a data export. If your organization's Slack workspace is ever compromised, every secret you've ever typed into a DM is in the breach. Slack also indexes messages for search, meaning a plaintext API key you sent six months ago is one search query away from anyone with admin access.

Email is persistent, forwarded, and archived in multiple places. An email containing credentials exists in your sent folder, the recipient's inbox, potentially their company's mail server logs, any email security gateways the message passed through, and backups of all of the above. You have no control over any of it after you hit send.

Shared documents don't expire. A Google Doc containing credentials stays accessible indefinitely by default. Access can be granted and forgotten. Document history is logged. People screenshot things. If the document is ever shared beyond its original audience — intentionally or accidentally — those credentials go with it.

Chat history creates a searchable archive of your worst security days. The specific irony of sharing secrets in productivity tools is that the very thing that makes these tools useful — persistent, searchable history — is what makes them dangerous for sensitive information. Every secret you've ever shared in Slack is findable by anyone with the right access, for as long as the workspace exists.

What "Secure" Actually Means for One-Time Shares

For sharing sensitive information securely, the properties that matter are simple:

The information should exist in transit only. Once it's been received and used, it should no longer be accessible. Persistent storage of credentials is a liability with no upside — the recipient needed the information at one point, not indefinitely.

It should be accessible once, then destroyed. A one-time view mechanism ensures that even if the link is intercepted or forwarded, it can only be accessed by the first person who opens it.

It should expire automatically. A time limit means that a forgotten link doesn't create indefinite exposure. If you send credentials that expire in 24 hours and the recipient forgets to use it, you get a notification — not a permanent standing vulnerability.

The sending channel shouldn't retain the content. The whole point is that the sensitive information doesn't end up in a chat log or email archive. The secure channel carries a link, not the secret itself.

The Practical Toolkit

There are a few legitimate ways to share sensitive information that have these properties. Here's how they work in practice:

Self-destructing secret links

Tools like LinkPilot let you paste any secret — an API key, a password, a one-time code, a private document — and get back a link that expires after it's been viewed once, or after a set time limit. You send the link through Slack or email. The recipient opens it, reads the secret, and the link is gone. What's in your Slack history is a dead link, not a credential.

This is the closest thing to a drop-in replacement for the "paste secret in DM" habit. Same workflow, none of the persistence.

Password managers with secure sharing

If you're already using a team password manager (1Password, Bitwarden, etc.), most of them include a secure sharing feature for one-time or time-limited access to an item. This is good for longer-lived sharing with team members who are set up in the same system. Less convenient for quick one-off shares with people outside your organization.

Vault references, not values

The better practice for credentials that a teammate needs ongoing access to is to store them in a vault (AWS Secrets Manager, HashiCorp Vault, 1Password Teams, Doppler) and share the reference — "use the API key from the dev/stripe secret in the vault" — rather than the value. This pattern means the credential value is never in a chat log; only the reference is.

This doesn't help for quick one-offs or when you're sharing with someone who doesn't have vault access, which is exactly where self-destructing links fill the gap.

Common Scenarios and What to Do Instead

Scenario: A new developer joins and needs the staging database credentials.

Don't: Slack them the password. Do: Add them to the password vault and share the vault item with time-limited access, or if they're not yet set up in the vault, use a self-destructing link that expires in 2 hours.

Scenario: You need to share an API key with a freelancer for a one-off project.

Don't: Email them the key. Do: Create a self-destructing link, send the URL, revoke the key when the project ends. The link expires after one view so forwarding it is safe.

Scenario: Your teammate is locked out and needs their 2FA backup code.

Don't: Text it to them. Do: Self-destructing link. SMS is particularly bad for this — messages are often backed up, carrier logs exist, and phones get lost.

Scenario: You're deploying to a new server and need to paste in an SSH private key.

Don't: Open the file in a text editor and copy-paste it through chat. Do: Self-destructing link with a very short expiry. View once, done.

Scenario: A client needs their login credentials for the system you built.

Don't: Include them in the handoff email. Do: Send a separate self-destructing link. The email thread — which they will forward to colleagues, archive forever, and possibly leave in an unsecured inbox — carries only the URL.

The One Practice Change That Covers 80% of the Risk

If you do one thing after reading this, do this: stop sending the credential itself and start sending a link to the credential instead.

The mechanism — self-destructing link, password manager share, vault reference — matters less than the behavior change. The moment you break the habit of putting raw secrets into communication channels, you eliminate the largest single source of credential exposure for most development teams.

Self-destructing links are the easiest entry point because they require no setup, work for anyone with a browser, and take about the same amount of time as the habit they replace. Create the link, send the URL, done.

On the "It's Just Internal" Argument

The most common defense of insecure credential sharing is that it's only happening within a trusted environment — your team, your company, people you know. Two problems with this:

First, breaches routinely start with compromised internal accounts. An attacker who gains access to one engineer's Slack account suddenly has access to years of credential-containing DMs. Insider-threat scenarios aside, compromised accounts are common, and the blast radius expands with every secret that lives in chat history.

Second, the people you're sharing with may not maintain the same security practices you do. A credential you sent securely ends up in someone else's less-secure environment. You don't control what happens after delivery — but a link that expires after one view limits the damage regardless.

Closing Thought

Security habits compound in both directions. Every secret that lives in Slack is a small accumulation of future risk. Every secret that passes through a self-destructing link leaves no trace. The habits are about equally effortful, and one of them has a very different long-term risk profile.

The infrastructure for this doesn't need to be complex. A self-destructing link tool, a team password manager, and a vault for long-lived secrets covers almost everything. The hard part isn't the tooling — it's replacing a dozen small habits that feel harmless until they aren't.

LinkPilot — Create expiring, burn-after-read links for sensitive information. Free to use.

LinkPilot is a secure link platform for sharing sensitive information through self-destructing, expiring links. No account required to receive. Learn more at uselinkpilot.com.