Slashdot Mirror

← Back to Stories (view on slashdot.org)

Snapchat Employee Data Leaked Following Phishing Scam (techcrunch.com)

Posted by yaelk on from the dont-share-personal-info dept.

An anonymous reader writes: Snapchat suffered a huge data breach over the weekend after an employee fell victim to a phishing email scam which impersonated co-founder and CEO Evan Spiegel requesting payroll information. While the video messaging app's servers were unaffected and user data remained completely safe, both former and current employees were informed that some of their sensitive information had been leaked. Snapchat immediately reported the incident to the FBI and has offered affected staff two years of free identity theft insurance and monitoring. Snapchat admitted that it felt 'real remorse and embarrassment' that one of its employees had fallen for the attack, particularly as it takes privacy and security so seriously.

22 of 48 comments (clear)

  1. Most embarrassing revelations by NotDrWho · · Score: 4, Funny

    That they all work at Snapchat.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
    1. Re:Most embarrassing revelations by gstoddart · · Score: 4, Funny

      Isn't snapchat where you show your penis to random people on the internet and see how long before they disconnect?

      You'd think she'd recognize the CEO. ;-)

      --
      Lost at C:>. Found at C.
    2. Re:Most embarrassing revelations by NotDrWho · · Score: 3, Funny

      They told me I wasn't qualified to work there because I don't use terms like "Umadbro" in my internet posts.

      --
      SJW's don't eliminate discrimination. They just expropriate it for themselves.
  2. Looks like that payroll data is already stale by JoeyRox · · Score: 1

    Because as of today there will probably be one less employee on it.

  3. You would think there would be better processes by swb · · Score: 3

    ...at least better than "an email from the CEO" asking for a bulk delivery of sensitive information.

    And maybe a process whereby it gets encrypted so only the recipient can open it..

    1. Re:You would think there would be better processes by gstoddart · · Score: 3, Insightful

      In your years which allow you to have such a low id ... have you observed that CEOs are likely to follow a damned process? In my experience, the higher up the org chart, the less you're willing to actually follow any processes and policies; I've seen VPs who would do stuff which would get a normal person sacked because it's so stupid and contrary to security policies.

      But, in this specific case, it sounds like a well crafted bit of spear phishing ... an email from someone you know, demanding something they know you have, and containing all of the right cues to make you respond.

      Most people aren't really capable of the sustained level of paranoia which allows you to say "I just received email from our CEO and I need to assume it's completely fraudulent". As much as many of us on Slashdot do it, it's really not a "normal" behavior most people can wrap their head around.

      Not trusting anything is normally considered a mental problem; sadly where it comes to email and modern technology, it's the entirely reasonable response.

      --
      Lost at C:>. Found at C.
    2. Re:You would think there would be better processes by swb · · Score: 2

      No, executives always disdain process, the only time they follow it is when they want to drag their feet or they're engaged in some kind of executive politics.

      But I guess the naive optimist in me might believe that an information technology company not far from the center of smartphone privacy and security debates might actually have done some thinking about this, especially since they probably (hopefully?) have some security people on staff and maybe some concern about being penetrated to obtain user information and/or compromise messaging.

      I guess I wouldn't even question the lack of process it if it was any other kind of company involved.

      But like I said, I'm a long-time pessimist whose naive optimism apparently can't be killed off.

    3. Re:You would think there would be better processes by Mike+Van+Pelt · · Score: 1

      Based on what I've seen, the email may well have looked something like this:

      "Hi, Bob, this is Evan. I've got an urgent request -- I'm at the IRS office; we're getting audited, and I need you to email me the full employee list with all W2s immediately.

      It's that time of year... And this sort of thing has been exploding recently.

    4. Re:You would think there would be better processes by swb · · Score: 1

      I doubt it.

      No corporation that gets audited sends the CEO down to the IRS without representation. That's the whole point of having a CPA handle your taxes. You'd be represented by at least a CPA if not a tax lawyer and corporate counsel.

      And they're not going to ask for documents in person and then tap their watch as they wait for you to get them emailed. It's far more structured than that.

      And you also mean to tell me that someone with wide-open access to sensitive employee data isn't in the loop enough to know if the company is being audited?

      I think this creates the very definition of a fucked company that has other problems -- CEO self representing at an audit, handing over documents on demand without advice of counsel, and a corporate accounting and finance department completely out of the loop.

    5. Re:You would think there would be better processes by Mike+Van+Pelt · · Score: 1

      You're right ... the spear-phishing crook is hoping someone in HR doesn't know that, though, or perhaps hopes they'll get panicked by the email into not examining it closely. Emails like this are being sent out. I have seen several examples. I don't know what percentage of recipients are fooled by them, but I know the percentage is greater than zero.

  4. Credit and ID Monitoring by ThatsNotPudding · · Score: 1, Insightful

    The corporate equivalent of conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences).

    1. Re:Credit and ID Monitoring by j2.718ff · · Score: 1

      The corporate equivalent of conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences).

      Indeed, and because 2 years is the standard length of time, many identity thieves are holding onto the stolen data for that long before they start using it.

    2. Re:Credit and ID Monitoring by plover · · Score: 2

      The corporate equivalent of conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences).

      Not arguing that it's a lame response, but what else can they actually do in response to a breach? Saying "don't have the breach in the first place" is not a valid argument because perfect security simply doesn't exist, especially when it involves humans making judgment calls as to whether or not to question the CEO's urgent request.

      Seriously, if you have a more efficacious solution, please post it.

      --
      John
    3. Re:Credit and ID Monitoring by fustakrakich · · Score: 1

      prevent violently crazy people from being out and about.

      Whaddya talkin' about? You're about to elect one president! After 15 years of careful cultivation, violent and crazy is the new normal

      --
      “He’s not deformed, he’s just drunk!”
    4. Re:Credit and ID Monitoring by ScentCone · · Score: 1

      Really? I'm no Trump fan, but are you actually going to suggest that he's psychotic, like most who conduct mass murder? Would you like to compare him to the sociopathic liar that is Hillary Clinton (who has actual blood on her hands, around the world), or the hand-wavy-delusional Sanders who's selling fairy tales? What a strange person you are, that you consider the sort of mentally disturbed people who pick up guns, knives, or the keys to their car to deliberately kill as many people as they can to be so inconsequential that you'll just use them casually to score craven (and empty) political points.

      --
      Don't disappoint your bird dog. Go to the range.
    5. Re:Credit and ID Monitoring by fustakrakich · · Score: 1

      Silly me!

      Yes... very

      --
      “He’s not deformed, he’s just drunk!”
    6. Re:Credit and ID Monitoring by Mike+Van+Pelt · · Score: 1

      None of those three are acceptable. At all. If those are the only choices in November, I'm writing in Vermin Supreme. Or maybe Cthulhu.

    7. Re:Credit and ID Monitoring by ScentCone · · Score: 1

      I do applaud your ability to avoid the topic, though. That takes dedication.

      --
      Don't disappoint your bird dog. Go to the range.
    8. Re:Credit and ID Monitoring by fustakrakich · · Score: 1

      What 'topic'? You brought nothing to discuss.

      --
      “He’s not deformed, he’s just drunk!”
  5. Re:AppChat appers should know better! by vel-ex-tech · · Score: 1

    Oh come on, people! -1? The apps guy actually has a point here! (Stopped watch and all that.) Throw the man a funny mod or two.

    Email is fundamentally insecure for the layperson. I'm not going to expect a layperson to dig through email headers to figure out if something is a spearphishing attack or not, and laypeople generally lack the attention to detail to even have red flags go up in the first place. That's assuming their email client is even configured to display the actual email address of the sender in the <brackets> instead of just the sender's name.

    On the other hand, if instead of using Luddite email, SnapChat had been using something cryptographically secure for internal communications (like an APP!), spearphishing would not have succeeded.

  6. I wonder by barbariccow · · Score: 1

    I wonder.... all these identity theft hacks all result in the same thing: "X years of free identity theft monitoring for all victims." Seems to me a company that offers such services (some even being blasted over and over by BBB and the like) could benefit a lot from these intrusions.

  7. Re:Snapchat / karma . . . by aicrules · · Score: 1

    Maybe they accidentally double tapped on your resume but had already used their free replay for the day. You should try re-sending it.