Snapchat's phishing attack breached 50K accounts
- A phishing attack on Snapchat tricked more than 55,000 users to reveal their account passwords, according to the Verge. The company learned of the data breach in July 2017, when a U.K. government official notified a Snap engineer that the attack resulted in a publicly available list of thousands of users' login information, including passwords, on phishing website klkviral.org.
- The phishing attack relied on a compromised account that sent users a link pointing to a mobile site designed to mimic the Snapchat login screen. The phishers collected login data from users who entered their usernames and passwords on the fake site. In July, Snap observed that a single device had logged into thousands of accounts and marked it as suspicious, but that was after the accounts were compromised.
- Last summer's event appeared to be related to a previous data breach that was believed to have started in the Dominican Republic, the Verge reported. Snap reached out to impacted users and reset most of the breached accounts after the initial attack, though thousands of credentials remained on a public website that host GoDaddy refused to disable.
The phishing attack on Snapchat highlights the precautions that social media companies need to take in protecting user data, particularly for younger smartphone users who can be easily deceived into revealing personal data or into making in-app purchases. To prevent the attacks, social media companies are relying more on artificial intelligence (AI) software and other machine learning techniques to identify and block malicious websites.
As a result of thw phishing attack on Snapchat, Google in July blocked klkviral.org from appearing in search results and marked it as a malicious site for people trying to visit it. Snap also added warnings to notify users when they attempt to send a link to phishing sites such as klkviral.
The attack affected a comparably small number of Snapchat's 187 million users, but served as a reminder of how quickly a phishing attack can spread to thousands of smartphone users.
While many companies have implemented training programs to help their employees identify phishing attacks that come through email or fake virus warnings in pop-up screens, social media providers also need to help educate consumers about malicious activity to prevent people from becoming victims of fraud. Last year, the Federal Trade Commission published a recommendation that urges businesses to protect their brands and customers from phishing by using email authentication. This news further highlights the importance of using strong passwords and two-step login verification tools, a growing emphasis in the tech and data privacy space.