Snapchat Employee Data Leaked Following Phishing Scam

An anonymous reader writes: Snapchat suffered a huge data breach over the weekend after an employee fell victim to a phishing email scam which impersonated co-founder and CEO Evan Spiegel requesting payroll information. While the video messaging app's servers were unaffected and user data remained completely safe, both former and current employees were informed that some of their sensitive information had been leaked. Snapchat immediately reported the incident to the FBI and has offered affected staff two years of free identity theft insurance and monitoring. Snapchat admitted that it felt 'real remorse and embarrassment' that one of its employees had fallen for the attack, particularly as it takes privacy and security so seriously.

Most embarrassing revelations

[NotDrWho]

That they all work at Snapchat.

Re:Most embarrassing revelations

[gstoddart]

Isn't snapchat where you show your penis to random people on the internet and see how long before they disconnect?

You'd think she'd recognize the CEO. ;-)

Re:Most embarrassing revelations

[NotDrWho]

They told me I wasn't qualified to work there because I don't use terms like "Umadbro" in my internet posts.

You would think there would be better processes

[swb]

...at least better than "an email from the CEO" asking for a bulk delivery of sensitive information.

And maybe a process whereby it gets encrypted so only the recipient can open it..

Re:You would think there would be better processes

[gstoddart]

In your years which allow you to have such a low id ... have you observed that CEOs are likely to follow a damned process? In my experience, the higher up the org chart, the less you're willing to actually follow any processes and policies; I've seen VPs who would do stuff which would get a normal person sacked because it's so stupid and contrary to security policies.

But, in this specific case, it sounds like a well crafted bit of spear phishing ... an email from someone you know, demanding something they know you have, and containing all of the right cues to make you respond.

Most people aren't really capable of the sustained level of paranoia which allows you to say "I just received email from our CEO and I need to assume it's completely fraudulent". As much as many of us on Slashdot do it, it's really not a "normal" behavior most people can wrap their head around.

Not trusting anything is normally considered a mental problem; sadly where it comes to email and modern technology, it's the entirely reasonable response.

Re:You would think there would be better processes

[swb]

No, executives always disdain process, the only time they follow it is when they want to drag their feet or they're engaged in some kind of executive politics.

But I guess the naive optimist in me might believe that an information technology company not far from the center of smartphone privacy and security debates might actually have done some thinking about this, especially since they probably (hopefully?) have some security people on staff and maybe some concern about being penetrated to obtain user information and/or compromise messaging.

I guess I wouldn't even question the lack of process it if it was any other kind of company involved.

But like I said, I'm a long-time pessimist whose naive optimism apparently can't be killed off.

Re:Credit and ID Monitoring

[plover]

The corporate equivalent of conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences).

Not arguing that it's a lame response, but what else can they actually do in response to a breach? Saying "don't have the breach in the first place" is not a valid argument because perfect security simply doesn't exist, especially when it involves humans making judgment calls as to whether or not to question the CEO's urgent request.

Seriously, if you have a more efficacious solution, please post it.