Snapchat's "meh" hack

By Adam L. Penenberg , written on January 2, 2014

From The News Desk

Snapchat, the popular messaging and photo app, was hacked, and it appears all the hackers got was access to a database with 2 million Snapchat names and their corresponding phone numbers. It likely didn't cause lasting damage, other than to Snapchat's reputation, although it's possible we'll see an uptick in phishes and spam purporting to come from the company.

Unlike with the hack of Target last month, when the retailer reported the theft of 40 million credit and debit cards used in its stores between Black Friday and December 15th, the Snapchat attack, on a scale of hacks between meh and epic, would rank closer to meh. It's kind of like a bank robber walking off with laundry bags stuffed with deposit slips.

Meanwhile, around the same time, Skype's official blog and Facebook page was also hacked by a group calling itself the Syrian Electronic Army, which issued a warning: "Hacked by the Syrian Army… Stop spying." Also a meh, although at least it has a political message. That said, the Skype attack was to its Facebook page and official blog, not a penetration of its entire system. That would be like tagging the front entrance of your local bank with graffiti.

With Target, credit card users whose numbers were filched might receive new cards in the mail, and if it was a debit card, then they'd best change their pins, but as splashy as that hack was, it, too, has been little more than an inconvenience. Not exactly a "meh" but not dire either. In the end, it was more of an embarrassment to Target than anything else.

Snapchat's problems may have to do with scaling. When a company grows as fast as Snapchat has, it's hard enough just to keep the site online and the app functioning. Security is often an afterthought, especially when it doesn't generate revenue. It's happened to some of the best companies.

For example, in the late 1990s, I interviewed a hacker who called himself Magic FX and claimed he had penetrated eBay's computer network.

"Anyone can say they hacked eBay," I said. "And don't send me eBay’s password or credit card file. I don't want to be in receipt of stolen goods."

I didn't tell MagicFX how to prove his point. I assumed he was either all bluster and would melt back into cyberspace or that he would do something like insert a phony tag line into one of the ads "Used cyber journalist’s computer for sale. $25 or best bid."

Instead, he replaced eBay’s homepage with one of his own design that read "Proof by MagicFX that you can’t always trust people…not even huge companies. {who woulda known that?}…It's 930 PM…do you know who has YOUR credit card information?"

"Okay, Okay," I blurted out. "You made your point. Now put it back." (He did.)

Eventually the hacker was caught and eBay continued its torrential user base growth, eventually becoming, well, eBay.

Snapchat didn't do itself any favors with its slow response to the security hole, which was publicized last week by Gibson Security, a band of "white hat" hackers. This was the exploit the hackers used in penetrating Snapchat's computer network. Yet two days after Christmas eve, when Gibson posted a message about this flaw on its corporate blog, Snapchat brushed off these concerns.

In a sense, Snapchat is lucky that it doesn't have much of value worth stealing -- yet. It generates no revenue, which means no credit cards stuffed into its database. The company would be wise to learn from this and, as it continues to scale, make security a higher priority.

eBay did. So can Snapchat.

Image via The Drum