In a blog titled ‘An Apology To Our Employees’, Snapchat has admitted ‘with real remorse – and embarrassment’ that a phishing scam has leaked employee payroll information.
The phishing scam hit on Friday 26th February, when a scammer impersonated Snapchat CEO Evan Spiegel and asked for employee information. Unfortunately, a Snapchat employee fell for the phishing scam and the payroll information of around 700 current and former employees was disclosed to the attacker.
This attack on Snapchat reveals the relative ease and simplicity of a phishing attack – which is one of the reasons why phishing remains one of the top threat vector for cyber assaults.
The attackers chose an easy channel to exploit in order to get into the company – HR – and chose a well-known figure to impersonate. As Wieland Alge, VP & GM EMEA at Barracuda Networks said: "In today’s digital age, data breaches that result from targeted email phishing have become increasingly common.
"Typically, these messages appear to come from a trustworthy source, so initially those that have been the target of an attack don’t even realise they’ve fallen victim. Some of the most successful phishing attacks are those that successfully impersonate a person, particularly if that person is well-known to the recipient. While the Snapchat payroll team probably don’t have a daily correspondence with Snapchat’s CEO, they clearly know who and how important he is – hence why they fell for the scam."
"In this case, the hackers took advantage of one of the easiest channels for business phishing attacks – HR departments. HR and payroll are flooded with emails containing all types of attachments and they are encouraged and even obliged to open them."
Snapchat was quick to state that no servers were breached and the data of its users were totally unaffected. Upon discovery of the scam, Snapchat confirmed that the attack was an isolated incident within four hours and reported it to the FBI. The company has since contacted the affected employees and offered them two years of free identity-theft insurance and monitoring.
Accepting full responsibility for the attack, Snapchat said:
"When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong. To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again."
However, the fact that a company like Snapchat could fall victim to a simple phishing attack, despite its tech-savvy reputation, highlights how adept hackers are with their phishing lures. Jonathan Sander, VP of Product Strategy at Lieberman Software, said:
"The fact that Snapchat got snagged with this shows that being young, cool, and high tech doesn’t protect you from being a phishing target. Bad guys are getting so good at phishing that they aren’t just fooling that older relative who calls a grandchild every time they need to print something.
"Even people born into the Internet, apps, and the cloud are clicking on bad links. That’s very good news for attackers in case they were worried that millennials would put them out of the phishing business with their tech savvyness."