Cross-posted from Wired.
If you’re a Snapchat user, you should know something: The “Snappening” is not your fault.
On Sunday, the threat of what has been dubbed “The Snappening” actually happened. Hundreds of thousands of pictures and videos taken by users of the popular ephemeral media service Snapchat were intercepted by hackers and, after a few days of bragging and bluster, they were finally posted online in a 13GB dump. Details are still rolling in on how this attack might have been carried out, but signs point to the use of insecure, unauthorized third-party software designed to let users store “disappearing” snaps. The third party software service SnapSaved.com has confirmed it was compromised as part of this attack.
As a company that is already the subject of an FTC complaint regarding privacy and data security, Snapchat was quick to proclaim that they did nothing wrong, promptly issuing a statement which read “We can confirm that Snapchat’s servers were never breached and were not the source of these leaks.” Then the company promptly blamed its users, saying “Snapchatters were allegedly victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security.”
The guidance and rules are buried in the fine print with no explanation for the ban on third-party software. This dense, boilerplate agreement places the burden of securing against this attack on the party in the relationship least likely to have knowledge of the vulnerability—the user. People who relied upon the app’s implicit promise of ephemera and relative safety wouldn’t be wrong to feel betrayed by Snapchat’s “it’s not us, it’s you” attitude.