Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Social Networks

Snapchat Employee Data Leaked Following Phishing Scam (techcrunch.com) 48

An anonymous reader writes: Snapchat suffered a huge data breach over the weekend after an employee fell victim to a phishing email scam which impersonated co-founder and CEO Evan Spiegel requesting payroll information. While the video messaging app's servers were unaffected and user data remained completely safe, both former and current employees were informed that some of their sensitive information had been leaked. Snapchat immediately reported the incident to the FBI and has offered affected staff two years of free identity theft insurance and monitoring. Snapchat admitted that it felt 'real remorse and embarrassment' that one of its employees had fallen for the attack, particularly as it takes privacy and security so seriously.
This discussion has been archived. No new comments can be posted.

Snapchat Employee Data Leaked Following Phishing Scam

Comments Filter:
  • by NotDrWho ( 3543773 ) on Monday February 29, 2016 @02:25PM (#51609995)

    That they all work at Snapchat.

  • Because as of today there will probably be one less employee on it.
  • by swb ( 14022 ) on Monday February 29, 2016 @03:01PM (#51610267)

    ...at least better than "an email from the CEO" asking for a bulk delivery of sensitive information.

    And maybe a process whereby it gets encrypted so only the recipient can open it..

    • by gstoddart ( 321705 ) on Monday February 29, 2016 @03:15PM (#51610339) Homepage

      In your years which allow you to have such a low id ... have you observed that CEOs are likely to follow a damned process? In my experience, the higher up the org chart, the less you're willing to actually follow any processes and policies; I've seen VPs who would do stuff which would get a normal person sacked because it's so stupid and contrary to security policies.

      But, in this specific case, it sounds like a well crafted bit of spear phishing ... an email from someone you know, demanding something they know you have, and containing all of the right cues to make you respond.

      Most people aren't really capable of the sustained level of paranoia which allows you to say "I just received email from our CEO and I need to assume it's completely fraudulent". As much as many of us on Slashdot do it, it's really not a "normal" behavior most people can wrap their head around.

      Not trusting anything is normally considered a mental problem; sadly where it comes to email and modern technology, it's the entirely reasonable response.

      • by swb ( 14022 )

        No, executives always disdain process, the only time they follow it is when they want to drag their feet or they're engaged in some kind of executive politics.

        But I guess the naive optimist in me might believe that an information technology company not far from the center of smartphone privacy and security debates might actually have done some thinking about this, especially since they probably (hopefully?) have some security people on staff and maybe some concern about being penetrated to obtain user infor

    • Based on what I've seen, the email may well have looked something like this:

      "Hi, Bob, this is Evan. I've got an urgent request -- I'm at the IRS office; we're getting audited, and I need you to email me the full employee list with all W2s immediately.

      It's that time of year... And this sort of thing has been exploding recently.

      • by swb ( 14022 )

        I doubt it.

        No corporation that gets audited sends the CEO down to the IRS without representation. That's the whole point of having a CPA handle your taxes. You'd be represented by at least a CPA if not a tax lawyer and corporate counsel.

        And they're not going to ask for documents in person and then tap their watch as they wait for you to get them emailed. It's far more structured than that.

        And you also mean to tell me that someone with wide-open access to sensitive employee data isn't in the loop enough t

        • You're right ... the spear-phishing crook is hoping someone in HR doesn't know that, though, or perhaps hopes they'll get panicked by the email into not examining it closely. Emails like this are being sent out. I have seen several examples. I don't know what percentage of recipients are fooled by them, but I know the percentage is greater than zero.
  • The corporate equivalent of conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences).
    • The corporate equivalent of conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences).

      Indeed, and because 2 years is the standard length of time, many identity thieves are holding onto the stolen data for that long before they start using it.

    • by plover ( 150551 )

      The corporate equivalent of conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences).

      Not arguing that it's a lame response, but what else can they actually do in response to a breach? Saying "don't have the breach in the first place" is not a valid argument because perfect security simply doesn't exist, especially when it involves humans making judgment calls as to whether or not to question the CEO's urgent request.

      Seriously, if you have a more efficacious solution, please post it.

    • conservative politicians offering 'Thoughts and Prayers' after every mass shooting (instead of doing anything to stop recurrences)

      I believe you're thinking of all of the liberal politicians who use that phrase and then choose not to do anything about it (since not counting terrorist attacks a la San Bernadino, most real mass killings tend to be conducted by mentally unstable people, and it's the left's discomfort with the politically incorrect act of actually calling them that and doing something about it that results in their running around loose until they act on their delusions). No, the left wants to sue the people who make a gun

      • prevent violently crazy people from being out and about.

        Whaddya talkin' about? You're about to elect one president! After 15 years of careful cultivation, violent and crazy is the new normal

        • Really? I'm no Trump fan, but are you actually going to suggest that he's psychotic, like most who conduct mass murder? Would you like to compare him to the sociopathic liar that is Hillary Clinton (who has actual blood on her hands, around the world), or the hand-wavy-delusional Sanders who's selling fairy tales? What a strange person you are, that you consider the sort of mentally disturbed people who pick up guns, knives, or the keys to their car to deliberately kill as many people as they can to be so i
  • I wonder.... all these identity theft hacks all result in the same thing: "X years of free identity theft monitoring for all victims." Seems to me a company that offers such services (some even being blasted over and over by BBB and the like) could benefit a lot from these intrusions.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...