BreachExchange mailing list archives
The Hidden Danger After the Snapchat Hack
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 8 Jan 2014 19:21:59 -0700
http://finance.yahoo.com/news/hidden-danger-snapchat-hack-133000596.html Snapchat users face another potential threat to their privacy: online tools designed to help users determine if their name and phone number was among the 4.6 million compromised in a recent hack. Two tools — GS Lookup and Snapcheck.org — allow users to enter their username or phone number and find out if they made the list of compromised accounts. The sites claim to offer a public service, but it’s important for users to take extra care. Individuals can protect themselves by asking these basic questions. Who Is Behind the Site? GS Lookup was reported to have been created by U.S. programmers Will Smidlein and Robbie Trencheny. That said, a footnote on the site references a redirection from other Twitter accounts, which does not inspire confidence. Snapcheck.org is attributed to Vik Paruchuri, whose Twitter account lists him as a Web development/software person. While their intentions may be civic-minded, that is not verifiable with the information at hand. It’s better to be safe than sorry, and it is a safe assumption that if Snapchat was breached and you have a Snapchat account, that information was compromised. How does anyone know that the data thieves published the entire list of names that were obtained? Would you really trust an unverified website to put your mind at ease when you know a breach has occurred and the company that was breached isn’t providing details? What Are They Doing With the Information? If, after story after story of data theft and loss, you believe these websites are offered only by legitimate sources and that they only use your information to help you and then discard your information afterward. Just remember: Once you give a company your information, they have it. They most likely aren’t deleting it. They often use and perhaps sell it. If that information is identical to account information you have for other companies, then both (or all) of those accounts are exposed if one is exposed. Are These Newly-Launched Sites Secure? Even if the websites for checking the Snapchat exposure are well-intentioned, if they weren’t coded securely, they may be vulnerable to other hackers who launch a “man-in-the-middle” attack, in which the hacker captures the information you enter into a browser before it reaches the intended website. We need to start holding the companies we entrust with data accountable for the security of consumer information. The companies collecting, storing and using our information, even with permission, need to affirm that they follow best practices — such as using encryption, segmenting data, and having a third-party audit their security program so they actively look for and remediate vulnerabilities rather than wait for the “bad guys” to exploit their weaknesses.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- The Hidden Danger After the Snapchat Hack Audrey McNeil (Jan 09)