Entertainment

‘The Snappening’ Is Real: 90,000 Private Photos and 9,000 Hacked Snapchat Videos Leak Online

Privacy Issues

In the wake of widespread celebrity hacking, a third-party Snapchat client dubbed SnapSaved was reportedly breached, leading to the biggest leak of personal photos ever.

articles/2014/10/13/the-snappening-is-real-90k-private-photos-and-9k-videos-hacked-and-leaked-online/141011-marlow-snapchat-leak-tease2_hffruu
The Daily Beast

First came “The Fappening,” wherein hackers breached Apple’s online storage system iCloud and leaked hundreds of private nude photos and videos of female celebrities like Jennifer Lawrence, Cara Delevingne, Kim Kardashian, Rihanna, and others. A crude portmanteau of “fapping” (online slang for masturbation) and the M. Night Shyamalan disaster The Happening, the cache of stolen content spread like wildfire on the message boards 4chan and Reddit. It was reportedly pilfered via “brute force” attacks—attempting thousands of key combinations—since the iCloud places no limit on the number of passwords one can try.

Now, there’s “The Snappening”—a leak of approximately 90,000 photos and 9,000 videos stolen off the mobile app Snapchat. The Daily Beast can confirm that despite rumors of a hoax, the leak is genuine, and most of the affected users hail from Europe, which makes up 32 percent of its overall audience, according to Snapchat. Unlike “The Fappening,” the victims are split fairly evenly between males and females, but like “The Fappening,” much of the content is explicit in nature.

The 13.6 GB file was first posted online via viralpop.com, a bogus website. Soon after, the site was deleted—but not before thousands of people downloaded the large file of stolen photos and videos, which was once again shared like crazy on 4chan and Reddit.

ADVERTISEMENT

In a written statement, Snapchat’s spokesperson claimed that the app’s servers were not compromised:

“We can confirm that Snapchat’s servers were never breached and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”

According to Business Insider, the “third-party app” in question is reportedly SnapSaved.com, a web client compatible with Snapchat that allowed users to store photos and videos sent from Snapchat online. Unfortunately, the site was storing all the “private” Snapchats on a web server, along with the usernames of senders. The site SnapSaved.com was removed several months back, and no longer exists.

This whole episode is of particular worry to Snapchat users since the photo and video messaging service’s claim to fame is that the sent file self-destructs after viewing—not in the Mission: Impossible sense, but that it disappears from one’s mobile device and is scrubbed from Snapchat’s company servers. Because of its “self-destruct” reputation, the app is a popular tool among youngsters for transmitting sexually explicit material. Snapchat claims that 50 percent of its users are between 13-17 years of age, this potentially brings “The Snappening” into child pornography territory.

Venture capitalists believe Snapchat to be a very valuable company. Last year, the company raised funding at a $2 billion valuation and shot down a $3 billion acquisition offer from Facebook. And earlier this year, Alibaba reportedly mulled an investment in Snapchat at a $10 billion valuation, according to The Wall Street Journal. The company claims that users send up to 700 million snaps a day, and although Snapchat won’t disclose how many people use the app, reports indicate that it may boast as many as 100 million monthly users.

Still, both the security and ephemerality of Snapchat’s “snaps” have been a subject of great debate since the app launched in July 2011.

Back in Aug. 2013, the Internet security group Gibson Security claimed it had found a vulnerability in Snapchat’s friend-finder feature. When a user signs up for Snapchat, they have the option of registering their phone number so friends with that phone number in their address books can easily find and add their friend in the app (since Snapchat usernames are typically wonky). Gibson Security claimed that hackers could fairly easily find the phone numbers behind users’ Snapchat handles by exploiting said vulnerability, outlined here. On Dec. 27, Snapchat shot down the findings on their own blog. Four days later, 4.6 million Snapchat usernames and phone numbers were compromised and leaked online by a hacker. It took the company nine whole days to issue a semi-apology for the breach, writing Jan. 9 on their company blog:

“This morning we released a Snapchat update for Android and iOS that improves Find Friends functionality and allows Snapchatters to opt-out of linking their phone number with their username. This option is available in Settings > Mobile #... We are sorry for any problems this issue may have caused you and we really appreciate your patience and support.”

As for the vanishing messages claim, Snapchat has long maintained that it notifies senders when a receiver takes a screenshot of the snap on their mobile device. But it was later revealed that there were simple workarounds to evade the app’s screenshot detection. Furthermore, because the “vanishing” feature only works within the official Snapchat app, for years, users have been able to download third-party apps to log into Snapchat and save photos and videos indefinitely.

Because of these findings and more, Snapchat was forced to settle a privacy complaint with the Federal Trade Commission in May on charges that “it deceived consumers with promises about the disappearing nature of messages sent through the service.”

“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” said FTC Chairwoman Edith Ramirez.

According to the complaint, consumers can indeed use third-party apps—which “have been downloaded millions of times”—to access Snapchat and save photos and videos. Also, the FTC made three other major allegations:

1. That Snapchat stored video snaps unencrypted on the recipient’s device in a location outside the app’s “sandbox,” meaning that the videos remained accessible to recipients who simply connected their device to a computer and accessed the video messages through the device’s file directory.

2. That Snapchat deceptively told its users that the sender would be notified if a recipient took a screenshot of a snap. In fact, any recipient with an Apple device that has an operating system pre-dating iOS 7 can use a simple method to evade the app’s screenshot detection, and the app will not notify the sender.

3. That the company misrepresented its data collection practices. Snapchat transmitted geolocation information from users of its Android app, despite saying in its privacy policy that it did not track or access such information.

Furthermore, the complaint stated that Snapchat “collected iOS users’ contacts information from their address books without notice or consent” through its “Find Friends” feature, which the company then “failed to secure,” resulting in the aforementioned breach.

On May 15, the Electronic Frontier Foundation released their fourth annual “Who Has Your Back” report on online service providers’ privacy and transparency practices regarding government access to user data. Snapchat was the lowest rated company when it comes to privacy in the 73-page report, and the only one to earn just a single star.

“This is particularly troubling because Snapchat collects extremely sensitive user data, including potentially compromising photographs of users,” read the report. “Given the large number of users and non users whose photos end up on Snapchat, Snapchat should publicly commit to requiring a warrant before turning over the content of its users’ communications to law enforcement.”

Snapchat, meanwhile, has neglected to disclose how it’s working towards helping those users who’ve been victimized in “The Snappening.”

Got a tip? Send it to The Daily Beast here.