On December 31st, 2013, hackers stole 4.6 million usernames and phone numbers from Snapchat and posted the database online. To see if you were one of them, check http://lookup.gibsonsec.org.
The irony is that Snapchat has become increasingly popular over the past year because younger audiences have seen it as a safer and more trusted social media platform than the likes of Facebook. But the question remains: really, how safe is Snapchat?
One way to figure this out is to look at a Snapchat Law Enforcement Guide last updated December 1, 2012. This document states:
“Snapchat stores the following information for each user:
- Phone Number
- A log of the last 200 snaps that have been sent and received (similar to a phone record)
- Date Account was Created”
When every snap is also associated with emails, phone numbers, a unique user name, and a previous history of up to 200 previous snaps, it becomes clear that there is significant prior information associated with even a “self-destructing” message. In effect, this security breach was a threat just waiting to occur.
One of the unintended threats that occur when a new social network grows quickly (such as Instagram, Pinterest, Whatsapp, or Snapchat) is that it becomes an instant target for hackers. Although consumer users don’t typically check to see whether the back-end technologies behind their social media platforms are secure, this incident serves as a reminder that you should never share information with any social network that you do not wish to be public, including passwords and usernames.
This attack was not accidental. Snapchat had been warned by Gibson Security in August that this type of username and phone number attack was possible. In response, Snapchat answered on December 27th with a blog post reply that basically said that Snapchat had covered their bases and that users would be safe. This attack shows that they obviously had not done so.
In addition, there are additional problems with Snapchat for those seeking to maintain their privacy. For instance, there is no mechanism that forces the sender to destroy the media or message being sent. And there is no way to prevent the receiver from capturing or copying screen contents within the timeframe.
Snapchat itself can also store snaps under certain circumstances. Although the social network does not store any image or video data after a snap is viewed, what happens if you send a snap to a user who is no longer checking Snapchat or has temporarily left the social network while on vacation or during exams? From Snapchat’s Law Enforcement Guide:
“If an image or video has not been viewed, it remains on the Snapchat server for 30 days, and then it is removed.”
In theory, any snaps that are not viewed immediately could be intercepted on the Snapchat server, which provides an additional opportunity for this content to be shared online.
Given the results, it is safe to say that Snapchat is being cavalier about its security problems at this point. When companies that build service that scales to thousands, much less millions, of users, they have the responsibility of keeping user information safe if they’re to be a trusted service. Considering that Snapchat just raised $50 million in December on top of a $60 million round in June, it’s not that they lack the funding to provide a secure service.
The real problem is much simpler; Snapchat is focusing too hard on trying to become a 4 billion dollar company rather than insuring that its core product is secure and scalable. It’s not a surprise: many companies fail to cover one of the core pillars of technology when they develop their product, whether it be social, analytics, mobile, cloud, or security. When companies forget about one of these pillars, it eventually comes back to affect product viability or scalability. Snapchat has reached that moment; it has scaled to the point where it needs world-class security before going further.
Until this occurs, DataHive recommends that any employees using Snapchat either as a messaging or marketing tool go through a compliance process that ensures that any information used for Snapchat cannot be used in a social engineering context to hack into corporate systems. This ideally means using no employee names and no services that are directly associated with employees or admin-level account access.
DataHive also recommends using a social media compliance tool, such as Actiance or Smarsh, when possible, to control the content associated with external social media as well. Social content needs to be timely, but it also needs to be provided by the right people and in the right context to be meaningful.
If you’d like more information on how to design your social networking and social media strategy to be secure and compliant while still getting bang for your buck, please feel free to email us at firstname.lastname@example.org to set up a free 30 minute call with our social consultants.