Snapchat Employee Data Leaked Following Phishing Scam (techcrunch.com)

← Back to Stories (view on slashdot.org)

Snapchat Employee Data Leaked Following Phishing Scam (techcrunch.com)

Posted by yaelk on Monday February 29, 2016 @07:21AM from the dont-share-personal-info dept.

An anonymous reader writes: Snapchat suffered a huge data breach over the weekend after an employee fell victim to a phishing email scam which impersonated co-founder and CEO Evan Spiegel requesting payroll information. While the video messaging app's servers were unaffected and user data remained completely safe, both former and current employees were informed that some of their sensitive information had been leaked. Snapchat immediately reported the incident to the FBI and has offered affected staff two years of free identity theft insurance and monitoring. Snapchat admitted that it felt 'real remorse and embarrassment' that one of its employees had fallen for the attack, particularly as it takes privacy and security so seriously.

48 comments

Min score:

Reason:

Sort:

Most embarrassing revelations by NotDrWho · 2016-02-29 07:25 · Score: 4, Funny

That they all work at Snapchat.

--
SJW's don't eliminate discrimination. They just expropriate it for themselves.
1. Re:Most embarrassing revelations by gstoddart · 2016-02-29 07:41 · Score: 4, Funny
  
  Isn't snapchat where you show your penis to random people on the internet and see how long before they disconnect?
  You'd think she'd recognize the CEO. ;-)
  
  --
  Lost at C:>. Found at C.
2. Re: Most embarrassing revelations by Anonymous Coward · 2016-02-29 08:10 · Score: 0
  
  You are one of the founders, aren't you?
  I had to look up wtf a snapchat is - I thought it had to do with a Beiber something.
  After reading wtf it is and how much Kleiner shoved at it, I just shook my head and realized that at 50, I do not in fact "get it". See, to this old fart, snapchat is just another gimmick for the narcissist millennials. It's going to generate revenue with advertising - the business model for Lamoes.
  Wtf is it with VCs and Stanford? They throw money at every dumbass thing that comes out of that school?
3. Re:Most embarrassing revelations by Anonymous Coward · 2016-02-29 08:15 · Score: 0
  
  Well, OP must be doing something right, because, right now, he is one of the funniest (+5 Funny) posters of our time.
4. Re:Most embarrassing revelations by Anonymous Coward · 2016-02-29 08:33 · Score: 0
  
  That's Omegle.
5. Re:Most embarrassing revelations by NotDrWho · 2016-02-29 09:12 · Score: 3, Funny
  
  They told me I wasn't qualified to work there because I don't use terms like "Umadbro" in my internet posts.
  
  --
  SJW's don't eliminate discrimination. They just expropriate it for themselves.
bullshit by Anonymous Coward · 2016-02-29 07:28 · Score: 0

Their so call messages can be recorded and saved so there goes their security
1. Re:bullshit by Anonymous Coward · 2016-02-29 07:55 · Score: 0
  
  More so than that, if they took privacy and especially security as seriously as they claim, they'd be educating their employees on how to spot those things so they don't fall victim to social engineernig.
AppChat appers should know better! by Anonymous Coward · 2016-02-29 07:41 · Score: 0, Troll

Modern app appers know that ONLY apps can app apps, so the AppChat employee should have known better than to trust a LUDDITE email instead of requesting an appy app app!
Apps!
1. Re:AppChat appers should know better! by Anonymous Coward · 2016-02-29 08:17 · Score: 0
  
  Snapchat is an APP!, mr. APP! APP!
  
  check. and mate.
  
  great. now I'm always going to picture mr APP! APP! as a Martian from "Mars Attacks"
2. Re:AppChat appers should know better! by Anonymous Coward · 2016-02-29 08:41 · Score: 0
  
  I can't believe I have to defend App guy.
  His point that it is an App and he should have known better to trust the luddite email (Which apparently is not appy).
3. Re:AppChat appers should know better! by vel-ex-tech · 2016-02-29 09:05 · Score: 1
  
  Oh come on, people! -1? The apps guy actually has a point here! (Stopped watch and all that.) Throw the man a funny mod or two.
  Email is fundamentally insecure for the layperson. I'm not going to expect a layperson to dig through email headers to figure out if something is a spearphishing attack or not, and laypeople generally lack the attention to detail to even have red flags go up in the first place. That's assuming their email client is even configured to display the actual email address of the sender in the <brackets> instead of just the sender's name.
  On the other hand, if instead of using Luddite email, SnapChat had been using something cryptographically secure for internal communications (like an APP!), spearphishing would not have succeeded.
4. Re:AppChat appers should know better! by Anonymous Coward · 2016-02-29 11:26 · Score: 0
  
  Cryptographic security is LUDDITE software! Modern app appers use APPS to app apps, not LUDDITE cryptography!
  Apps!
5. Re:AppChat appers should know better! by Anonymous Coward · 2016-03-07 11:22 · Score: 0
  
  If it's any consolation for your -1 Troll moderation, I'm sitting here giggling like an idiot...
Fines by Anonymous Coward · 2016-02-29 07:49 · Score: 0

Until there are serious and substantial penalties for these types of events, nothing will change. Regardless of how "bad" they feel...
Looks like that payroll data is already stale by JoeyRox · 2016-02-29 07:52 · Score: 1

Because as of today there will probably be one less employee on it.
You would think there would be better processes by swb · 2016-02-29 08:01 · Score: 3

...at least better than "an email from the CEO" asking for a bulk delivery of sensitive information.
And maybe a process whereby it gets encrypted so only the recipient can open it..
1. Re:You would think there would be better processes by gstoddart · 2016-02-29 08:15 · Score: 3, Insightful
  
  In your years which allow you to have such a low id ... have you observed that CEOs are likely to follow a damned process? In my experience, the higher up the org chart, the less you're willing to actually follow any processes and policies; I've seen VPs who would do stuff which would get a normal person sacked because it's so stupid and contrary to security policies.
  But, in this specific case, it sounds like a well crafted bit of spear phishing ... an email from someone you know, demanding something they know you have, and containing all of the right cues to make you respond.
  Most people aren't really capable of the sustained level of paranoia which allows you to say "I just received email from our CEO and I need to assume it's completely fraudulent". As much as many of us on Slashdot do it, it's really not a "normal" behavior most people can wrap their head around.
  Not trusting anything is normally considered a mental problem; sadly where it comes to email and modern technology, it's the entirely reasonable response.
  
  --
  Lost at C:>. Found at C.
2. Re:You would think there would be better processes by Anonymous Coward · 2016-02-29 09:10 · Score: 0
  
  However, not trust something that is unusual or out of character is prudent.
  Has the CEO asked for this information before? Was the email address and reply-to address identical to the CEO's?
  Seriously, if the CEO has never asked you for this information (and why would he - his secretary would!) and corresponds to you via email, a quick call to your manager or his secretary would verify this in no time. It also covers your behind performing due diligence.
3. Re:You would think there would be better processes by swb · 2016-02-29 09:13 · Score: 2
  
  No, executives always disdain process, the only time they follow it is when they want to drag their feet or they're engaged in some kind of executive politics.
  But I guess the naive optimist in me might believe that an information technology company not far from the center of smartphone privacy and security debates might actually have done some thinking about this, especially since they probably (hopefully?) have some security people on staff and maybe some concern about being penetrated to obtain user information and/or compromise messaging.
  I guess I wouldn't even question the lack of process it if it was any other kind of company involved.
  But like I said, I'm a long-time pessimist whose naive optimism apparently can't be killed off.
4. Re:You would think there would be better processes by Anonymous Coward · 2016-02-29 09:49 · Score: 0
  
  I remember talking to a used car sales man and he said they printed out the finance rates from all the lenders so we didn't need to shop around to see the deals. I said I couldn't trust that they were accurate. He said they just got them in a document and printed them out every morning. I said how easy it is to change documents. He said I had trust issues. I wonder who the hell out there does trust a used car sales man that he'd view my lack of trust as trust issues.
5. Re:You would think there would be better processes by Mike+Van+Pelt · 2016-03-01 08:15 · Score: 1
  
  Based on what I've seen, the email may well have looked something like this:
  "Hi, Bob, this is Evan. I've got an urgent request -- I'm at the IRS office; we're getting audited, and I need you to email me the full employee list with all W2s immediately.
  It's that time of year... And this sort of thing has been exploding recently.
6. Re:You would think there would be better processes by swb · 2016-03-01 09:08 · Score: 1
  
  I doubt it.
  No corporation that gets audited sends the CEO down to the IRS without representation. That's the whole point of having a CPA handle your taxes. You'd be represented by at least a CPA if not a tax lawyer and corporate counsel.
  And they're not going to ask for documents in person and then tap their watch as they wait for you to get them emailed. It's far more structured than that.
  And you also mean to tell me that someone with wide-open access to sensitive employee data isn't in the loop enough to know if the company is being audited?
  I think this creates the very definition of a fucked company that has other problems -- CEO self representing at an audit, handing over documents on demand without advice of counsel, and a corporate accounting and finance department completely out of the loop.
7. Re:You would think there would be better processes by Anonymous Coward · 2016-03-02 00:24 · Score: 0
  
  PHBs don't know how to use tech or established processes. And they want things done now. Is that new to you?
8. Re:You would think there would be better processes by Mike+Van+Pelt · 2016-03-02 07:27 · Score: 1
  
  You're right ... the spear-phishing crook is hoping someone in HR doesn't know that, though, or perhaps hopes they'll get panicked by the email into not examining it closely. Emails like this are being sent out. I have seen several examples. I don't know what percentage of recipients are fooled by them, but I know the percentage is greater than zero.
It's ok, the leak will disappear after 10 seconds by Anonymous Coward · 2016-02-29 08:02 · Score: 0

Or will it?
Credit and ID Monitoring by ThatsNotPudding · 2016-02-29 08:06 · Score: 1, Insightful

The corporate equivalent of conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences).
1. Re:Credit and ID Monitoring by j2.718ff · 2016-02-29 08:17 · Score: 1
  
  The corporate equivalent of conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences).
  Indeed, and because 2 years is the standard length of time, many identity thieves are holding onto the stolen data for that long before they start using it.
2. Re:Credit and ID Monitoring by plover · 2016-02-29 08:38 · Score: 2
  
  The corporate equivalent of conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences).
  Not arguing that it's a lame response, but what else can they actually do in response to a breach? Saying "don't have the breach in the first place" is not a valid argument because perfect security simply doesn't exist, especially when it involves humans making judgment calls as to whether or not to question the CEO's urgent request.
  Seriously, if you have a more efficacious solution, please post it.
  
  --
  John
3. Re:Credit and ID Monitoring by ScentCone · 2016-02-29 08:39 · Score: 0
  
  conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences)
  I believe you're thinking of all of the liberal politicians who use that phrase and then choose not to do anything about it (since not counting terrorist attacks a la San Bernadino, most real mass killings tend to be conducted by mentally unstable people, and it's the left's discomfort with the politically incorrect act of actually calling them that and doing something about it that results in their running around loose until they act on their delusions). No, the left wants to sue the people who make a gun that someone else chooses to use illegally (I presume they'd also sue the people who make a car or a knife that someone uses illegally, but they always want to avoid talking about that). For them, it's all about how to extract money and political power from the situation, not how to prevent violently crazy people from being out and about.
  
  --
  Don't disappoint your bird dog. Go to the range.
4. Re:Credit and ID Monitoring by Anonymous Coward · 2016-02-29 08:41 · Score: 0
  
  For the customers? Nothing.
  But in terms of preventing future harm, they should do the same thing any safety critical industry already knows to do when things go wrong. Have independents come in, investigate exactly what went wrong and recommend what to do to prevent it. That doesn't mean it'll stop happening - but it means now when the same thing happens again the board of directors is directly responsible and it ought to be easy to hold them to account.
5. Re:Credit and ID Monitoring by fustakrakich · 2016-02-29 09:21 · Score: 1
  
  prevent violently crazy people from being out and about.
  Whaddya talkin' about? You're about to elect one president! After 15 years of careful cultivation, violent and crazy is the new normal
  
  --
  “He’s not deformed, he’s just drunk!”
6. Re:Credit and ID Monitoring by Anonymous Coward · 2016-02-29 10:25 · Score: 0
  
  Exactly. 2years is not enough. 10 years minimum, C.f. Anthem breach class action suit. Or how about for life, or perpetuity!?! Gotta make it hurt so we get some actual motion on this.
7. Re:Credit and ID Monitoring by ScentCone · 2016-02-29 13:08 · Score: 1
  
  Really? I'm no Trump fan, but are you actually going to suggest that he's psychotic, like most who conduct mass murder? Would you like to compare him to the sociopathic liar that is Hillary Clinton (who has actual blood on her hands, around the world), or the hand-wavy-delusional Sanders who's selling fairy tales? What a strange person you are, that you consider the sort of mentally disturbed people who pick up guns, knives, or the keys to their car to deliberately kill as many people as they can to be so inconsequential that you'll just use them casually to score craven (and empty) political points.
  
  --
  Don't disappoint your bird dog. Go to the range.
8. Re:Credit and ID Monitoring by fustakrakich · 2016-02-29 15:25 · Score: 0
  
  Sanders and Hillary don't even hold a candle to him. He's the best carny in the show by far. And your righteous indignation along with that wild imagination is quite an amusing spectacle. I like how you caricaturize mass media input in all your lecturing to those at your feet.
  
  --
  “He’s not deformed, he’s just drunk!”
9. Re:Credit and ID Monitoring by ScentCone · 2016-02-29 15:32 · Score: 0
  
  That sure was a pretentious way of admitting that your analogy was pure BS. Think of how much typing and hot air you could have saved by saying, "Yeah, I guess Trump isn't actually a mass murderer."
  
  --
  Don't disappoint your bird dog. Go to the range.
10. Re:Credit and ID Monitoring by fustakrakich · 2016-02-29 15:47 · Score: 0
  
  You're funny, man. You just make shit up...
  
  --
  “He’s not deformed, he’s just drunk!”
11. Re:Credit and ID Monitoring by ScentCone · 2016-02-29 16:12 · Score: 0
  
  Oh, you mean you really DO think that Trump is a psycho killer? Here I thought you were trolling, instead of just a fool. Silly me!
  
  --
  Don't disappoint your bird dog. Go to the range.
12. Re:Credit and ID Monitoring by fustakrakich · 2016-02-29 17:19 · Score: 1
  
  Silly me!
  Yes... very
  
  --
  “He’s not deformed, he’s just drunk!”
13. Re:Credit and ID Monitoring by Mike+Van+Pelt · 2016-03-01 08:17 · Score: 1
  
  None of those three are acceptable. At all. If those are the only choices in November, I'm writing in Vermin Supreme. Or maybe Cthulhu.
14. Re:Credit and ID Monitoring by ScentCone · 2016-03-01 12:28 · Score: 1
  
  I do applaud your ability to avoid the topic, though. That takes dedication.
  
  --
  Don't disappoint your bird dog. Go to the range.
15. Re:Credit and ID Monitoring by fustakrakich · 2016-03-01 13:27 · Score: 1
  
  What 'topic'? You brought nothing to discuss.
  
  --
  “He’s not deformed, he’s just drunk!”
Two years protection by Anonymous Coward · 2016-02-29 10:20 · Score: 0

Feds offered two years of free identity theft insurance and monitoring? For a SnapChat employee?
But when info got stolen last year their own staff got one?
I wonder by barbariccow · 2016-02-29 11:11 · Score: 1

I wonder.... all these identity theft hacks all result in the same thing: "X years of free identity theft monitoring for all victims." Seems to me a company that offers such services (some even being blasted over and over by BBB and the like) could benefit a lot from these intrusions.
Snapchat / karma . . . by Anonymous Coward · 2016-02-29 12:27 · Score: 0

Earlier this year, I found out about an awesome job at Snapchat. The opportunity fit my skill sets and objectives and I could have added huge value. I submitted for it and I got the silent rejection. I don't know why but I have not had a solid employment history recently, which does not look too good. Additionally, I am past my thirties. The rejection obviously hurt, but with this data breach, it does not hurt so much anymore. And no, I had nothing to do with it.
Thank you for the turndown, Snapchat!
1. Re:Snapchat / karma . . . by aicrules · 2016-03-01 07:05 · Score: 1
  
  Maybe they accidentally double tapped on your resume but had already used their free replay for the day. You should try re-sending it.