Snapchat hack should be wake-up call

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.usatoday.com/story/tech/columnist/2014/01/02/snapchat-breach-new-tech-economy-john-shinal-usa-today/4250487/

This new year of 2014 may very well be the one in which the ability (or
failure) of social networks to protect their users' data becomes a
competitive advantage (or disadvantage).

If so, Snapchat has started the year off in a bad way, by having its
servers hacked and the user names and mobile numbers of 4.8 million members
turned into a database that's now floating around the Internet.

By itself, it's not very big news that a small, relatively new service got
hacked, of course.

Computer security breaches that steal consumer data are now common.

Just ask Target shoppers and Skype users — who also had private information
stolen this holiday season.

In a world where cybersleuths wearing either white or black hats joust for
control of the Internet, there's going to be collateral damage to consumers.

The bigger problem for Snapchat is it failed to fix a security weakness
that was pointed out publicly by an Australian security firm in August.

Gibson Security, based in Sydney, has on its site a news release dated Aug.
27, 2013, in which it points out the precise flaw that thieves used to
penetrate Snapchat's servers this week.

The four-month lag time suggests protecting user data was not at the top of
the to-do list of Snapchat's own engineering hacking sessions.

It probably should have been, given that the data breach news has become
the first time a general (non-tech) audience is hearing about the start-up.

Closer followers of tech will remember Snapchat CEO Evan Spiegel in
November was widely reported to have turned down a $3 billion all-cash
takeover offer from Facebook.

Publicity people often say that there's no such thing as bad publicity, but
this example strongly suggests otherwise.

Given that Snapchat is most popular with the 18-and-younger crowd, its lack
of diligence on fixing the flaw pointed out by Gibson Security has just
created almost 5 million sets of unhappy parents.

A big part of Snapchat's appeal is its technology that the company says
allows pictures posted to it to disappear after 10 seconds.

That should serve as a wake-up call to all the parents who pushed their own
kids off of Facebook by trying to "friend" them on the No. 1 social network.

That merely pushed kids looking for privacy onto smaller social networks
such as Instagram and Snapchat.

Adolescents who use social networks to create their own online identity are
engaging in a healthy activity — if it's overseen properly and if the
companies running those networks deliver on their privacy promises.

Parents should be aware of what networks their children are using and
supervise their privacy and security settings.

Gibson Security has set up a Web page (http://lookup.gibsonsec.org/) where
Snapchat users or their parents can see if their user name and mobile
numbers were among those stolen.

The Snapchat data breach is a reminder to parents to be aware of what their
kids are doing online.

It should also be yet another wake-up call to the social media industry, as
its companies work on their 2014 engineering priorities, to put the
protection of user information at least on par with, if not above,
revenue-generating projects.

If a company loses the trust of its users, it's going to lose the users
themselves eventually to a rival that's doing a better job protecting data.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.