The US Federal Trade Commission settled its complaint against Snapchat on Thursday this week. The complaint accused the company of failures to protect and secure its users data along with other privacy failures. It notes that a security failure in the Find Friends feature that caused the details of 4.6 million North American users to be released on-line, could have lead to "spam, phishing, and other unsolicited communications" to Snapchat users. With AdaptiveMobile's large mobile security presence in North America, we decided to analyse whether an exposed Snapchat user was more likely to be targeted by malicious SMS attacks after the data went on-line.
Firstly, some more background on the data breach. It started on the 25th of December 2013, when the security researchers at Gibson security released a report on the vulnerabilities within the API of Snapchat. Soon afterwards one of these vulnerabilities was exploited by unknown attackers and on the 31st of December 2013, the website snapchatdb.info (now defunct) went live. The website offered a list of 4,609,620 Snapchat user names, locations and their partial phone numbers. The Snapchat users' phone numbers had the last two digits obscured.
We began by looking for directed attacks using Snapchat user names within malicious SMS attacks. We were unable to find any attacks which were directly linked to a Snapchat user name; however this is not the full story. We then investigated if there was an increased level of SMS spam to Snapchat users within the released database. To determine this, we compared the amount of blocked spam sent to victims of the leak for a three month period before and after the Snapchat database was released on-line. Because the leaked database had the last two digits obfuscated, we matched the phone number of blocked SMS spam recipients during the period with the partial phone number ranges from the leaked database and compared the amount to the total number of blocked SMS spam sent. If the leaked Snapchat users were not targeted, then their percentage of the total amount of the blocked spam should stay fairly constant throughout the six month period. If they were targeted, then we should see their percentage of the total increase after the 31st of December, 2013.
Here we have plotted the percentage of total spam, sent to possible leaked Snapchat users per week and included the average and one standard deviation for comparison.
As you can see the maximum data point is on the week ending on the 5th of January. During this week the percentage of SMS spam received by North American cell phone users whose phone number matched a leaked partial number, was more than 1.5 times the average for the 6 month period. Also the percentage stays above average until the start of March. This is indicative that the database was possibly used to guide mobile attacks. We saw no other specific activity that could have explained this rise, but as every data scientist knows: correlation does not imply causation. However as you can see the timings of the breach and spike thereafter match.
As the database contained only partial phone numbers, this may have dissuaded spammers from fully exploiting the leak by including user names. We will continue to monitor the situation going forward and remain watchful of similar possible data leaks in the future. Since the breach and the later Snapchat spam outbreak, Snapchat have increased their security and recently hired more security expertise, but this shows the need for all messaging platforms to have a good defence against cybercriminals. This is because a successful attack on one can impact all.