Snapchat, a mobile video app known for self-destructing messages, self-destructed with a security breach last Friday. According to their February 28th blog entry: “Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our Chief Executive Officer and asked for employee payroll information.”
Details of what sensitive information was released hasn’t been confirmed. But considering where the information came from (the payroll department) it’s likely it included everything from Social Security numbers to banking information. The good news is that, according to Snapchat, no user data was breached (again).
We, of course, are less concerned with what data was comprised and more concerned with how it was compromised. This appears to be a much more sophisticated phishing scam than your run-of-the-mill email attachment. In this case, someone impersonated the CEO of a major social media app that has over 100 million users who watch 7 billion video clips per day. They did this by obtaining common email addresses within the company and somehow reaching the payroll department under the alias of Evan Spiegel, CEO and co-founder.
The recipient failed to recognize the fraudulent email account and obliged with its request, effectively selling the identities of multiple Snapchat employees, past and present, to criminals.
While we feel for those affected, this is also a great example of how easy it is for even the most sophisticated companies, and its employees, to fall victim to a scam. All it took was one email followed by one response for a hacker to have access to private data. And almost none of it could have been prevented with an antivirus or software firewall. This was an analog security hole—a human being at the end of the work week having a temporary awareness glitch.
For us, the lesson is simple and obvious: verify your sources, and think before you click. In this case, this person failed to make sure he or she was communicating with the real Spiegel, and failed to consider why he would suddenly need payroll information. It should be common sense, but the misuse of such is how hackers thrive.
Snapchat ended their apology with this:
“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong. To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again.”
We hope the same, Snapchat. But somehow we doubt this will be our last blog post on the subject.
Latest posts by Justin Bonnema (see all)
- Incident Response: Time Is Not On Your Side - April 1, 2019
- 5 Traits of Security Aware Parents - March 14, 2019
- Bad Habits of Senior Managers That Put Security of Organizations at Risk - March 1, 2019