News of the breach first came to light on Friday when it emerged that a third-party service used on Snapchat – the popular instant messenger service for smartphones which lets users send and receive self-destructing messages – had been hacked, with the unidentified hackers subsequently posting users' naked images online over the weekend.
Snapsaved.com is a website which lets Snapchat users – almost half of whom are teenagers aged 13-17 years old– use the service on desktop computers, but unbeknown to them the site was reportedly connecting to Snapchat servers and maliciously storing their log-in credentials, photos and videos.
Hackers claimed to have compromised the website late last week, posting on the notorious 4chan community forum that they would leak users' pictures, videos and account details. The first of these images – of which there are supposedly 200,000 in total (around 13 Gigabytes of material) – reportedly appeared on a website on Sunday.
Some internet users took to Reddit to complain about the lack of naked pictures but one added that there that there were “maybe 100MB of actual nudes” in both photo and video form. Law enforcement has warned that anyone downloading the files could be in violation of child pornography laws if any of the pictures include unclothed children under the age of 16 – even if the child took the image.
Snapchat responded to the hack – which is being called the ‘The Snappening' in some quarters - by directing the blame squarely at Snapsaved.com.
“We can confirm that Snapchat's servers were never breached and were not the source of these leaks,” the firm said in a statement.
Snapsaved.com issued a statement of its own on Facebook to say that the mistake was due to a web server error.
“I would like to inform the public that snapsaved.com was hacked, the dictionary index the poster is referring to, was never publicly available,” said a company spokesperson responding to an online inquiry. “We had a misconfiguration in our Apache server. Snapchat has not been hacked, and these images do not originate from their database.
“As soon as we discovered the breach in our systems, we immediately deleted the entire website and the database associated with it. As far as we can tell, the breach has effected (sic) 500MB of images, and of personal information from the database.”
However, an anonymous source later claimed on Pastebin that the website's administrators had provided hackers with access to the database.
This is the second serious data breach for Snapchat this year, with the social media start-up – the subject of a US$ 3 billion (£1.85 billion) bid by Facebook one year ago – subject of a hack late last year where 4.6 million usernames and phone numbers were stolen and posted on a website called SnapchatDB.
“I suspect that many of Snapchat's users have been lulled into a false sense of security, imagining that it is safe to share intimate images via the app and believing the marketing propaganda that suggests images will be safely erased forever within ten seconds,” wrote veteran security researcher Graham Cluley on the Hot for Security blog.
Katie King, managing director of the Zoodikers consultancy, added in an email to SCMagazineUK.com that the hack is proof that no service proclaiming to be secure is immune from attack, and said that more regulation is needed to tackle cyber-criminals.
“The hacking of Snapsaved and the leak of over 100,000 images sent via the Snapchat app shows that no data is safe,” said King. “Even bold claims such as ‘self-destructing' images are still at risk from cyber criminals, as evident here. Moreover, the lack of regulation and the anonymity of hackers makes it all the more difficult for cyber criminals to be brought to justice.
“I would urge all Internet users to think twice before signing up to third party websites or apps, particularly those that ask for personal details. Furthermore, not sending compromising images into the digital space is also wise.”