Despite other measures of security put in place by the company’s IT department, it was as simple as replying to an e-mail phishing scam to expose personal data and paycheck information of dozens of former and current Snapchat employees.
The company announced that the cyber attack occurred Friday when an unidentified employee at the payroll department responded to an e-mail whose sender impersonated the company’s CEO and requested sensitive data on other employees’ payrolls.
Snapchat declined to be more specific on how many employees were affected or on how bad the attack was. It only said that data has been leaked on “some current and former employees.”
Yet, it is not the first time the social networking service was targeted by hackers. In 2014, about 200,000 private photos posted by users were compromised when hackers compromised the security of several third-party apps users were using along with the service.
Nevertheless, this time, no user data was leaked, and the company took the whole blame for the latest attack. In 2014, Snapchat said that it was users’ fault who had used the unofficial third-party apps to connect to its platform.
As of now, we do not yet know what exactly was leaked. “Payroll information” is quite vague. It could comprise names, social security numbers, bank accounts, home addresses, e-mail addresses and so on.
The LA-based company also said that the incident was reported to FBI and federal investigators were working to get to the bottom of it. Additionally, employees affected by the attack would get identity theft insurance for free for two years to come.
The company broke the news in a blog post on Sunday when it said it was “impossibly sorry” for the incident. It also pledged to further train its employees on privacy and security at the workplace, though current training programs were already as ‘rigorous’ as they could get.
Cyber security experts explained that phishing attacks such as this one, also known as “whaling” attacks, are more and more frequent nowadays. They initially started as Nigerian-based financial frauds, whose perpetuators sent phony e-mails to key people in the accounting departments of major firms requesting information or an urgent transaction to a particular account for a last-minute deal or invoice payment. The e-mails looked like they were sent from the companies’ top executives, but on a closer look, one could have realized that the e-mail address did not belong to the company.
Image Source: Wikimedia