Social media app Snapchat rang in the New Year as a “victim” of hacktivism when a group of cyber security researchers exploited a weakness in Snapchat’s operational system in order to expose more than 4.5 million usernames and telephone numbers.
According to reports, users of Snapchat send 350 million photos per day. The app is designed to make photos and videos disappear once they are viewed.
Snapchat has added tens of millions of dollars in funding and made headlines recently when co-founders Evan Spiegal and Bobby Murphy turned down a reported $3 billion cash offer from Facebook. However, it has also been scrutinized for what some perceived as lackluster security measures.
In late August, Sydney-based Gibson Security pointed out flaws in Snapchat’s systems. After four months of apparent inactivity by Snapchat, hacktivist thieves attacked the system using the vulnerability exposed by Gibson Security and posted the usernames and telephone numbers to SnapchatDB.info.
The security researchers who have taken responsibility for the cyber attack said they easily accessed Snapchat’s user information “through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue.”
“The company was too reluctant at patching the exploit until they knew it was too late, and companies that we trust with our information should be more careful when dealing with it,” they continued.
Hacktivists typically are not attacking security or data for financial gain, but to make a statement. No matter the motive or the awareness it creates, the practice remains a risk to companies who have not invested in cyber risk management or have ignored warnings.
Whether for financial gain or to expose vulnerabilities for the benefit of the public, a hacking incident filters through to a company’s bottom line, Richard Bortnick, shareholder at law firm Christie Pabarue & Young in Philadelphia and publisher of the blog, Cyberinquirer, told Advisen.
“To me, the story is that in the face of the increasingly number of cyber breaches being made public—as opposed to those which are swept under the rug—little attention is being paid to hacktivism, which is based on a materially different set of motivations and intended results,” Bortnick said. “SnapChat demonstrates that hacktivism remains a very real threat.”
According to a blog by Snapchat, the weakness was created by a “Find Friends” feature of the app, allowing users to upload address books to the service to connect users with each other by using telephone numbers.
Snapchat says it “implemented various safeguards” over the last year to make it more difficult to connect telephone numbers to usernames. “We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”
Snapchat said it will release an updated version of the app.
Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].
