Snapchat admitted that hackers were able to access sensitive employee data after a member of staff fell for a phishing email which claimed to be from co-founder and CEO Evan Spiegel.
In a blog post confirming the breach, Snapchat said it was embarrassed that one of its employees fell for the scam as it is “a company that takes privacy and security seriously.” The company pointed out that while some employees’ data was leaked and their identities compromised, user data was never at risk. “The good news is that our servers were not breached, and our users’ data was totally unaffected by this.”
The hacker or hackers behind the scam used the increasingly-popular social engineering tactic of phishing to get access to the information. Phishing scams typically see highly-tailored emails sent to specific employees within the target organization which appear to come from a legitimate source and contain information that employees might expect to see.
In this case, the scammer impersonated Evan Spiegel, the co-founder and CEO of Snapchat, asking for access to payroll information. The scam was not detected, and payroll information about some current and former employees was disclosed externally, the company said.
Snapchat said the breach was an isolated incident and reported it to the FBI. The company says it will redouble its staff training around security in a bid to make sure this doesn’t happen again. “When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong,” the company said.
Snapchat users have previously been the victim of several high-profile hacks. In December 2013, usernames and phone numbers of 4.6 million Snapchat users were leaked online. In October 2014, over 98,000 files — including videos and photos — from Snapchat users were posted online, though that breach was the result of weakened security of a third-party app which allowed users to save Snapchat content.