The most recent Snapchat data breach occurred in May 2019, when it came to light that Snapchat employees were spying on users: viewing messages, location data, and more. Prior to that, a phishing attack in 2017 led to 55,000 stolen Snapchat login credentials.
As far as we can tell, there have been no known Snapchat breaches since May 2019. Below, you’ll find a full timeline of Snapchat data breaches and security incidents, starting with the most recent.
May 2019: News Breaks of Snapchat Employees Spying on User Accounts
In May 2019, reports emerged that Snapchat employees were abusing their access privileges to spy on users. Along with viewing messages, employees reportedly accessed location information, phone numbers, and email addresses.
The tool involved in the spying goes by the name SnapLion internally. It was initially designed to assist with law enforcement requests, including subpoenas and court orders, giving authorized employees a way to gather the required data. Over time, it was also used for spam and abuse tracking, as well as to analyze bullying and other harmful activities.
However, former employees came forward stating that not all employees were using the capability for legitimate requests. Employees with authorization to use the tool weren’t always limiting themselves to justifiable reasons, essentially using SnapLion to spy on accounts without oversight.
It isn’t clear how many accounts were accessed inappropriately or whether there were any consequences for impacted users. Additionally, it isn’t known when the unauthorized activities began or if they are ongoing.
July 2017: Phishing Attack Captures Details on 50,000 Snapchat Accounts
In February 2018, reports emerged of a phishing attack that targeted Snapchat users in July 2017. It allowed attackers to collect account passwords from over 55,000 users, mainly by tricking the targeted users into believing they were logging into Snapchat.
The attackers created a mobile site and made use of a compromised account to send users a link. The hackers then sent messages to users containing the nefarious link, sending them to a fake site that mimicked the Snapchat login screen. If a targeted user entered their credentials, the hackers were able to collect and store that information.
After acquiring the data, the hackers published lists that contained the stolen login credentials. Anyone who accessed the list was able to see the user names and associated passwords, giving them a way to access the account.
February 2016: Cyberattack Exposes Snapchat Employee Data
In February 2016, a phishing attack allowed a scammer to access payroll information on a group of current and former Snapchat employees. An attacker impersonated the company’s CEO and requested the data. A payroll department employee didn’t recognize it was a scam and provided some requested information.
The incident was considered isolated, and no user data was involved. The exact number of impacted employees wasn’t disclosed, and the incident was reported to the FBI.
October 2014: 200,000 Photos Leaked
While the October 2014 incident didn’t involve Snapchat directly, a third-party app that allowed users to store photos that would otherwise disappear was hacked. Attackers were able to acquire the images, many of which were either explicit or racy, and aimed to publish them online.
Snapchat said that its systems weren’t compromised in any way, firmly placing blame on the third parties. Aside from the images and associated user names, it isn’t believed that any other data was compromised.
January 2014: Data Hack Exposes Details from 4.6 Million Accounts
In January 2014, news broke of a hack that exposed details from 4.6 million Snapchat accounts. A gap in the company’s security was said to be responsible. The vulnerability allowed hackers to acquire the usernames and phone numbers of millions of users. The stolen information was reportedly downloaded by a site using the name SnapchatDB.info and was made publicly accessible.
The hackers claimed that they were able to access the data by taking advantage of a vulnerability that security researchers discovered the week prior. The researchers posted about the security issue, claiming it made the app’s API hackable in a way that exposed user information.
Two days after the post, Snapchat stated that the issue wasn’t a problem and that it had taken action to make using the vulnerability “more difficult.” However, the subsequent attack made it seem as if any efforts on Snapchat’s part were insufficient.