Just one week after being warned of its vulnerabilities by a group of white-hat hackers, Snapchat found itself the target of an attack. Late Tuesday, 4.6 million names and phone numbers of Snapchat users were posted to a website called SnapchatDB.info.
The anonymous attack on Snapchat was followed closely by an attack on Microsoft-owned web calling service Skype. The Syrian Electronic Army claimed to be behind the Skype attack.
Snapchat allows users to send in-app messages that self-destruct after a short period of time. Because of this hallmark feature, users have come to expect a certain level of security from the company, says Landor Associates managing director Allen Adamson.
“The brand promise is based on content not being passed around and things disappearing ... The security issue is more problematic than it is [for] other online brands,” says Adamson.
With this promise broken, Adamson and others say Snapchat’s dominance in the private-messaging space may be weakened. As of noon on Thursday, Snapchat had not responded to FOXBusiness.com’s request for comment, but later posted a statement to its company blog and linked out to it on its Twitter account.
Snapchat said a security group had figured out how to access the company's database of usernames and phone numbers using the app's "Find Friends" feature.
"On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks."
The statement also said Snapchat would release an updated version of the app that would allow users to opt out of the "Find Friends" feature. "
"The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse."
A Missed Opportunity
On Dec. 27, Snapchat published a blog post saying it had been alerted that there was a possibly vulnerability that could allow hackers to compile a database of Snapchat usernames and phone numbers.
The group that alerted Snapchat, Gibson Security, said in a post on its own website that the vulnerabilities threated the image of Snapchat as a “secure, fast and easy app for people to use.”
“We don’t believe [Snapchat’s security] is up to scratch for a service such as Snapchat which is based on the idea of ephemeral media, and hope that Snapchat significantly improve their security,” read the post on Gibson’s site.
Snapchat, however, seemed to disagree with Gibson’s warning, with the company saying in its blog post that it had “implemented various safeguards” and “recently added additional counter-measures.”
“In this particular case, what the company has learned is that it has to jump faster on these vulnerabilities and issue patches,” says Steve Ward, a spokesman for security firm Invincea, which counts the U.S. government among its 10,000 clients. While Ward doesn’t feel the attack will be catastrophic for the company, he says there’s a possibility that privacy-conscious users will move away from the app.
In September, Snapchat said users were sending 350 million messages daily through the app. Later in the fall, the venture-backed startup turned down a reported $3 billion acquisition offer from Facebook (FB).
Can Competitors Capitalize on the Attack?
With Snapchat’s secure image tarnished, other startups in the private-messaging space see an opportunity.
“Folks in the competitive landscape will try to use it to their advantage,” predicts Ward.
One such startup, Wickr, which also provides a self-destructing message service, has already seen a 25% uptick in downloads compared to an average day, says founder Nico Sell.
“Snapchat is implying privacy, and to me it’s an illusion of privacy,” says Sell, who adds that Wickr is likely benefiting from the Skype breach as well.
Sell, a hacker herself, built Wickr with the intention of building a more secure messaging service. She says the app took a team of 10 security and privacy engineers a year to build.
“We designed our system as a zero-knowledge system, so we’re never vulnerable to hackers or federal government requests,” says Sell. She says the app saw a thousand-percent spike in downloads following the Edward Snowden scandal. Recently, Wickr received a reported $7.4 million round of funding from Gilman Louie, who previously founded In-Q-Tel, a non-profit venture capital firm that invests in technologies that support the CIA.
While Sell is pleased to see more users join the 1 million already on the app, she says any newcomers will find Wickr organically – rather than as a result of a media blitz based on Snapchat and Skype’s recent attacks.
“We try not to dance on other people’s graves. Nobody’s security is perfect, but they misled a lot of people … [People] will move over without us doing anything, other than keep on doing a good job,” says Sell.