Snapchat skyrocketed to popularity as an alternative to sites like Facebook because the app promises to quickly delete users' posts and photos, eliminating digital footprints that could lead to trouble.
But its commitment to user privacy was in question this week because hackers posted 4.6 million of its users' names, and part of their phone numbers, even after the company had been warned it was vulnerable to cyberattack.
“Here we have a business that prides itself on providing a service that is supposed to be oriented around the private interchange of information,” said Mark Bower, a vice president at Cupertino-based Voltage Security. “So it's a concern to anybody using the service.”
The breach comes at a critical time for the hot company, which was started by two Stanford fraternity brothers and has become one of the most popular apps in the world, especially with teens and 20-somethings. The Venice-based company reportedly handles about 350 million messages a day and turned down a $3 billion offer from Facebook, presumably waiting for a bigger payday.
The Snapchat incident is the latest in a series of disturbing data breaches in recent months. Besides the recent attack on Target, in which cyberthieves stole credit and debit card information for up to 40 million customers, San Jose-based Adobe Systems (ADBE) disclosed in October that hackers had accessed 38 million user passwords. And on Wednesday, Microsoft's Web calling service Skype revealed that its social-media sites had been attacked, although it said “no user information was compromised.”
Snapchat user Cheryl Rubiaco, 29, of San Jose, learned about the attack Thursday just after posting a dozen photos and a couple of videos she took while celebrating her New Year's Day birthday in San Francisco.
“I might take a break from Snapchat and see what the company says to assure that its users are protected,” she said. “If they're not taking action to protect their users, I would have to rethink whether I keep my account.”
Officials at Snapchat — which was launched two years ago by Stanford pals Evan Spiegel and Bobby Murphy — couldn't be reached for comment. But in August Australian firm Gibson Security reported finding “severe vulnerabilities” at Snapchat. Several days before the breach, Snapchat acknowledged the problems and assured users that “we've implemented various safeguards.”
However, its efforts appeared to be insufficient.
The revelation about Snapchat is particularly troubling because its popularity is so tied to its policy of deleting photo and video messages, or “snaps,” seconds after they are shared.
The unidentified Snapchat hackers posted the information — with the last two digits of the phone numbers removed — on a site called SnapchatDB.info. They also sent a statement to the popular technology blog TechCrunch that “our motivation behind the release was to raise the public awareness around the issue and also put public pressure on Snapchat to get this exploit fixed,” adding that they were concerned about “how reckless many Internet companies are with user information.”
Snapchat late Thursday announced on its blog that it would update its app to make it harder for a similar cyberattack to happen again.
Snapchat user Adrienne Goldsworth, 33, of Fremont, learned of the hack after posting a photo of her cat to 30 friends. She fears her phone number might get into the wrong hands because in 2009 she'd gotten fraudulent phone calls demanding money for bills she didn't owe and “I didn't want that happening again.”
But pilfered phone numbers can cause broader problems. By combining them and usernames with databases of commonly used passwords or other information, experts warn, hackers can sometimes steal consumer identities and access their financial accounts.
“This vulnerability could hypothetically be used to stalk members of society — such as public figures — or the data could even be sold to various firms, with the intent of using it and other data to connect online profiles to people in real life,” according to the Gibson Security warning about Snapchat's problems.
Nathaniel Couper-Noles of security firm Neohapsis agreed, adding that “tying your username to your phone number may help connect a few dots that someone might not otherwise have been able to connect.”
And because of the growing use of social media and other Internet sites, such threats are bound to increase, added Oscar Marquez of Redwood City security firm Total Defense.
“This should definitely be a wake-up call for both users and organizations with an online presence,” he said. “Breaches such as this are going to become more common.”