“Oh snap!” was the battle cry across the Internet as millions using Snapchat, a popular online messaging service, discovered their usernames and phone numbers dumped on the Internet by hackers during the holidays – apparently to make the point that Snapchat’s security was not up to snuff, even as it is assiduously courted by investors from Wall Street to China.
After warning ahead of the holidays that Snapchat was vulnerable to security breaches and, on Christmas Eve, displaying how those breaches might occur, a Sydney-based research group called Gibson Security posted a link for Snapchat users to look up whether they were among the 4.6 million whose data had been subsequently hacked. In an emailed statement to Newsweek late Thursday, one of the three-strong team of engineers at Gibson said “we have no relationship” with the hack or those behind it, “nor do we condone their efforts.”
The bigger question on everybody’s lips did not concern the release of such content as usernames and phone numbers so much as the rather more personal material known to circulate among Snapchat’s rabid devotees – specifically, compromising photos and videos that its users send to one another and which are supposed to self-destruct seconds after being viewed.
“If you have the username and password of the person receiving the content, images can be intercepted,” said the engineer at Gibson Security, who asked to remain anonymous. “This has been documented for quite some time and it is a fundamental issue with Snapchat's security.”
As it turns out, 100 percent foolproof security for not-safe-for-work content on the Internet is a little bit like hunting down a unicorn, said Oliver Day, 38, a security consultant based in Cambridge, Mass., who’s worked with the Berkman Center at Harvard University, digital-security companies and a smattering of nonprofits.
“Let’s say my girlfriend sends me a naked picture of herself through Snapchat,” he said. “Just because the image supposedly disappears doesn’t mean I can’t find another way to capture it. You can just take a screenshot with another photographic device, which most of us now have.”
Luckily, the data dump, initiated by what appears to be a single hacker or a group of hackers, did not appear to include compromising photos or videos from Snapchat users. It did, however, succeed in hammering home the point that Snapchat users are not as shielded from view as they think, calling into question the true value of the social media service, which in the past year has become an online media darling.
“Snapchat’s entire business model is predicated on photos disappearing after they are sent,” says a Wall Street hedge fund executive. “But I have a question: Did anyone using Snapchat actually believe it was safe, even prior to this?”
The privacy issue could be a major setback for Snapchat, a two-year-old start-up run by its 23-year-old CEO, Stanford grad Evan Spiegel, who co-founded the company with another Stanford grad, Robert Murphy. Snapchat has been valued at $4 billion by Chinese e-commerce company Tencent Holdings, and Spiegel turned down an all-cash offer of around $3 billion from Facebook late last year.
Snapchat, which is still assessing the damage done by the security breach, did not respond to requests for comment, but according to its privacy policy, once recipients have viewed its content, “we automatically delete the snap from our servers and our services are programmed to delete the snap from the recipients’ devices.”
That is some very careful wording, Day says. “If mobile phones are reconfigured to function in ways not originally intended by the manufacturers – something we call ‘jailbreaking’ – apps like Snapchat will not necessarily work as promised.”
In other words, Snapchat will only carry out its intended function if the phone also operates exactly as intended. “If you remove the controls from your phone, there’s nothing that Snapchat can do to take the content back from you,” he says.
Gibson Security, which first aired its concerns about Snapchat in August, describes itself as a team of “reverse engineers” and specializes in web application development. A representative from the hackers group was not immediately available to comment.
The data breach does not necessarily mean it’s curtains on Wall Street for Snapchat, which late last month stated it had “implemented various safeguards to make it more difficult” to impinge its security.
While the application’s meteoric rise was buoyed by the perception the app could be used for the ephemeral transmission of risqué content – including so-called “sexting” – its popularity has reached far beyond that demographic, users say.
“I use it a lot and didn’t get hacked,” says one user, Cheri Howes. She’s heard about Snapchat’s more ribald uses but prefers the app for sharing jokes with her son. “He sends pics of gross food he’s eating and stuff like that.”
Day agrees. “It’s not like the Snapchat messages themselves have been leaked – that would be a business-ender. They’ve revealed some names and phone numbers but, from a broader security perspective, you can’t call it an immediate threat.”
Given the fluidity and rapid evolution of the mobile-messaging arena, investors will be hard-pressed to tweak their valuations of the company until they’ve seen how users react to the security breach in the coming days, says the hedge funder.
“The question is, how do people use Snapchat now?” he says. “Facebook has a very different demographic than its origins. This dovetails with the larger conversation about whether the next generation can be embarrassed by anything online, or if the concept of embarrassment due to online images is passé.”