The Hidden Danger After the Snapchat Hack

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://finance.yahoo.com/news/hidden-danger-snapchat-hack-133000596.html

Snapchat users face another potential threat to their privacy: online tools
designed to help users determine if their name and phone number was among
the 4.6 million compromised in a recent hack.

Two tools — GS Lookup and Snapcheck.org — allow users to enter their
username or phone number and find out if they made the list of compromised
accounts. The sites claim to offer a public service, but it’s important for
users to take extra care. Individuals can protect themselves by asking
these basic questions.

Who Is Behind the Site?

GS Lookup was reported to have been created by U.S. programmers Will
Smidlein and Robbie Trencheny. That said, a footnote on the site references
a redirection from other Twitter accounts, which does not inspire
confidence. Snapcheck.org is attributed to Vik Paruchuri, whose Twitter
account lists him as a Web development/software person. While their
intentions may be civic-minded, that is not verifiable with the information
at hand. It’s better to be safe than sorry, and it is a safe assumption
that if Snapchat was breached and you have a Snapchat account, that
information was compromised. How does anyone know that the data thieves
published the entire list of names that were obtained? Would you really
trust an unverified website to put your mind at ease when you know a breach
has occurred and the company that was breached isn’t providing details?

What Are They Doing With the Information?

If, after story after story of data theft and loss, you believe these
websites are offered only by legitimate sources and that they only use your
information to help you and then discard your information afterward. Just
remember: Once you give a company your information, they have it. They most
likely aren’t deleting it. They often use and perhaps sell it. If that
information is identical to account information you have for other
companies, then both (or all) of those accounts are exposed if one is
exposed.

Are These Newly-Launched Sites Secure?

Even if the websites for checking the Snapchat exposure are
well-intentioned, if they weren’t coded securely, they may be vulnerable to
other hackers who launch a “man-in-the-middle” attack, in which the hacker
captures the information you enter into a browser before it reaches the
intended website.

We need to start holding the companies we entrust with data accountable for
the security of consumer information. The companies collecting, storing and
using our information, even with permission, need to affirm that they
follow best practices — such as using encryption, segmenting data, and
having a third-party audit their security program so they actively look for
and remediate vulnerabilities rather than wait for the “bad guys” to
exploit their weaknesses.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.