T he lesson in Snapchat’s data leak
Snapchat might be one of the biggest tech surprises of recent years – just not for all the right reasons. First released in 2011, the photo-sharing social network (which sends self-destructing “snaps”) saw explosive popularity in both 2012 and 2013. The real shock, however, came in November, when Snapchat declined a cash buyout from Facebook for $3 billion. Many saw this as a serious miscalculation by Snapchat’s young CEO, and with good reason: Snapchat has yet to produce any revenue, and was recently revalued far lower at $2 billion. While it’s unlikely they’ll receive a better offer, it’s a gamble that could still surprise and pay off – just as it did for Mark Zuckerberg when he declined a $1 billion buyout from Yahoo in 2006.
Still, if Snapchat was looking for a new wind of positive press, they’re certainly not starting 2014 with it. On New Year’s Eve, an anonymous hacker leaked 4.6 million Snapchat users’ phone numbers and usernames. While it may not seem as dire as past leaks from other companies – such as the frequent username and password dumps, or Target’s mass credit card leak – there are legitimate concerns, such as stalking. More to the point, it damages Snapchat’s precarious reputation – especially if certain allegations are true.
The leak was made possible by Gibson Security, a self-described group of “poor students, with no stable source of income” out of Australia. More directly, they’re hackers. While Gibson Security claims they didn’t post the leaked information, they did post Snapchat’s API, and information for two exploits, one of which involved the mass matching of phone numbers to Snapchat user names. Posted on Christmas, the inevitable mass leak of data occurred six days later. This is where it gets really interesting: Gibson Security informed Snapchat of the security hole in August. When Snapchat refused to comment after four months, the group decided to post the API and exploits. They also allege that the exploits could have been patched with “ten lines of code.”
The allegations don’t stop there, either. Gibson Security claims in their release that Snapchat lied to both the press and its investors in November, when Snapchat announced that 70% of its user base was female. According to Gibson Security, the internal Snapchat protocol doesn’t track gender information, which means that unless that data came from an outside metrics source, it’s a baseless claim. If this proves to be true, it’s going to be an even larger blow to the startup’s credibility. And, as ZDNet points out:
“[It] now appears that anyone who reverse-engineered Snapchat’s API could have written a script to register false accounts in the tens, if not hundreds of thousands. It’s impossible to know what percentage of Snapchat’s accounts are valid.”
In short, it’s an unfortunate way to kick off the year for Snapchat, who really needs a lot of luck right now if they’re looking to outpace Facebook’s offer. Perhaps more importantly, it puts a point on just how important user security is online – especially for companies in the spotlight. As Target has recently shown, no company – no matter the size – is invulnerable. Still, here it’s the fact that Snapchat knew about the security issue well before the leak, and did nothing about it. You can also bet this won’t be the last security disaster we see this year, and companies of every size should take note of.
Above all, that’s the lesson in Snapchat’s data leak:
See a hole? Patch it before the flood.