Snapchat joins the long list of password breaches

Less than a week we were discussing the issue of who should be deemed responsible for online security breaches; now the hacking of Snapchat provides us with a case study.

Snapchat, the revelation of 2013 thanks to the epic growth in its photo messaging application, has begun 2014 in the worst possible way: after a security company had warned the site several times about its weak API and the strong likelihood that it could be misused, on January 31, its owners discovered that those weaknesses had been exploited, and that a website was offering free downloads of a data base of some 4.6 million user names with their telephone numbers.

At first sight, this would appear to be little more than an attack designed to expose the company’s poor security standards, but given that this is not the first such breach, nor will it be the last, it is worth asking a number of questions, starting with how we should respond to news like this.

Attacks of this kind, whether to prove a point or for commercial purposes, have sadly become all too commonplace for companies like Snapchat, which find themselves having to manage rapid growth with startup resources, competing with much bigger fish like Adobe, Gawker, Sony, Vodafone, or Yahoo!. Our first response on hearing of news like this is to ask whether we are affected. If there is a database that can be downloaded or consulted, we might want to know if our details are on it. If not, and we are simply users and nothing has been published yet, we might as well assume that we will shortly.

As a rule, the company in question will set in motion mechanisms requiring users to provide new passwords, in which case we will need to log in as soon as possible to avoid our account being accessed by third parties.

The next step is to establish whether the theft of our data could in any way compromise other online services we use. We all know that we shouldn’t use the same access information across the board, but many of us do, or at best only use complex passwords for services we consider vital.

Whatever our security precautions may have been until now, an event like this should prompt us to rethink them, and try to protect any services that might be at risk of exposure. Sadly, on hearing news like this, many people will simply say, “nyaahh, it’s only Snapchat, nothing important, it’s just a test, no big deal.” Let’s not be simplistic about this: should somebody out there who wants to do us harm find the user name we use for another service in that data base they could then use it to send messages using our name or try to access other important services we use, thus causing us no end of problems.

Services such as WhatsApp are equally vulnerable: I have lost count of the number of people that have said to me something along the lines of: “So what? Given what I use WhatsApp for, I don’t need much security.” Have they stopped to think of the possible consequences of somebody stealing their identity and then deliberately creating misunderstandings between the people on their list of contacts, or, as in the well-known case of Mat Honan, use our data to hack the accounts of our contacts? I come across such cases among my pupils all the time: a criminal uses information stolen from a service that in theory is relatively secure to hack into the accounts of others using the same service, sending them messages that can vary from “I am traveling and have lost my wallet, please send me money,” to much more sophisticated confidence tricks.

So what is the worst case scenario in all this? Just because the attack has simply been a warning or it turns out that the data base only reveals fields that are relatively unimportant does not mean that we are safe: once the information is out there it can change hands extremely easily, and this is usually what will happen, in which case, the outcome of the attack will be very different from the one initially sought.

There is no such thing as total security. And the reality of our lives is that every day we set up accounts for services of all kinds, sometimes without knowing why, or simply to assure ourselves that if they do become popular we will have an account using our favorite nickname. Each and every one of these fragments of our lives can be used by people with malicious intentions. So, when we read about security breaches such as Snapchat’s we should stop to think about our own security practices, and accordingly improve them by using password managers and other approaches. Just because you’re paranoid doesn’t mean that somebody out there won’t misuse your personal information if they can get their hands on it.

(En español, aquí)