Snapchat Employee Data Leaked Following Phishing Scam (techcrunch.com) 48
An anonymous reader writes: Snapchat suffered a huge data breach over the weekend after an employee fell victim to a phishing email scam which impersonated co-founder and CEO Evan Spiegel requesting payroll information. While the video messaging app's servers were unaffected and user data remained completely safe, both former and current employees were informed that some of their sensitive information had been leaked. Snapchat immediately reported the incident to the FBI and has offered affected staff two years of free identity theft insurance and monitoring. Snapchat admitted that it felt 'real remorse and embarrassment' that one of its employees had fallen for the attack, particularly as it takes privacy and security so seriously.
Most embarrassing revelations (Score:4, Funny)
That they all work at Snapchat.
Re:Most embarrassing revelations (Score:5, Funny)
Isn't snapchat where you show your penis to random people on the internet and see how long before they disconnect?
You'd think she'd recognize the CEO. ;-)
Re:Most embarrassing revelations (Score:4, Funny)
They told me I wasn't qualified to work there because I don't use terms like "Umadbro" in my internet posts.
Re: (Score:1)
Oh come on, people! -1? The apps guy actually has a point here! (Stopped watch and all that.) Throw the man a funny mod or two.
Email is fundamentally insecure for the layperson. I'm not going to expect a layperson to dig through email headers to figure out if something is a spearphishing attack or not, and laypeople generally lack the attention to detail to even have red flags go up in the first place. That's assuming their email client is even configured to display the actual email address of the sen
Looks like that payroll data is already stale (Score:2)
You would think there would be better processes (Score:4)
...at least better than "an email from the CEO" asking for a bulk delivery of sensitive information.
And maybe a process whereby it gets encrypted so only the recipient can open it..
Re:You would think there would be better processes (Score:4, Insightful)
In your years which allow you to have such a low id ... have you observed that CEOs are likely to follow a damned process? In my experience, the higher up the org chart, the less you're willing to actually follow any processes and policies; I've seen VPs who would do stuff which would get a normal person sacked because it's so stupid and contrary to security policies.
But, in this specific case, it sounds like a well crafted bit of spear phishing ... an email from someone you know, demanding something they know you have, and containing all of the right cues to make you respond.
Most people aren't really capable of the sustained level of paranoia which allows you to say "I just received email from our CEO and I need to assume it's completely fraudulent". As much as many of us on Slashdot do it, it's really not a "normal" behavior most people can wrap their head around.
Not trusting anything is normally considered a mental problem; sadly where it comes to email and modern technology, it's the entirely reasonable response.
Re: (Score:3)
No, executives always disdain process, the only time they follow it is when they want to drag their feet or they're engaged in some kind of executive politics.
But I guess the naive optimist in me might believe that an information technology company not far from the center of smartphone privacy and security debates might actually have done some thinking about this, especially since they probably (hopefully?) have some security people on staff and maybe some concern about being penetrated to obtain user infor
Re: (Score:2)
Based on what I've seen, the email may well have looked something like this:
"Hi, Bob, this is Evan. I've got an urgent request -- I'm at the IRS office; we're getting audited, and I need you to email me the full employee list with all W2s immediately.
It's that time of year... And this sort of thing has been exploding recently.
Re: (Score:2)
I doubt it.
No corporation that gets audited sends the CEO down to the IRS without representation. That's the whole point of having a CPA handle your taxes. You'd be represented by at least a CPA if not a tax lawyer and corporate counsel.
And they're not going to ask for documents in person and then tap their watch as they wait for you to get them emailed. It's far more structured than that.
And you also mean to tell me that someone with wide-open access to sensitive employee data isn't in the loop enough t
Re: (Score:2)
Credit and ID Monitoring (Score:2, Insightful)
Re: (Score:2)
The corporate equivalent of conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences).
Indeed, and because 2 years is the standard length of time, many identity thieves are holding onto the stolen data for that long before they start using it.
Re: (Score:3)
The corporate equivalent of conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences).
Not arguing that it's a lame response, but what else can they actually do in response to a breach? Saying "don't have the breach in the first place" is not a valid argument because perfect security simply doesn't exist, especially when it involves humans making judgment calls as to whether or not to question the CEO's urgent request.
Seriously, if you have a more efficacious solution, please post it.
Re: (Score:1)
conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences)
I believe you're thinking of all of the liberal politicians who use that phrase and then choose not to do anything about it (since not counting terrorist attacks a la San Bernadino, most real mass killings tend to be conducted by mentally unstable people, and it's the left's discomfort with the politically incorrect act of actually calling them that and doing something about it that results in their running around loose until they act on their delusions). No, the left wants to sue the people who make a gun
Re: (Score:1)
prevent violently crazy people from being out and about.
Whaddya talkin' about? You're about to elect one president! After 15 years of careful cultivation, violent and crazy is the new normal
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Silly me!
Yes... very
Re: (Score:2)
Re: (Score:1)
What 'topic'? You brought nothing to discuss.
Re: (Score:2)
I wonder (Score:1)
Re: (Score:2)