Snapchat denies hack after accounts hijacked to send spam

Snapchat has denied it was hacked after some users received spam messages advertising a slimming site

Mobile messaging app Snapchat has denied it was hacked after some users received spam messages advertising a slimming site.

Snapchat – a mobile app that allows users to send and receive "self-destructing" photos and videos – told the BBC that user login data was taken from other sites and used to hijack Snapchat accounts.

The hijacked accounts were then used to send spam images to everyone on the hijacked account’s contact list. But the messages do not appear to harm the sender or recipient, Snapchat said.

"We have seen evidence that hackers, who have access to a trove of credentials leaked from other websites, have started using them to gain access to Snapchat accounts,” the makers of the app said in a statement.

“We recommend using a unique and complex password to access your Snapchat account.”

Chequered security history

In January 2014, Snapchat was forced to introduce extra security measures, including a user verification system, after hackers posted details of 4.6 million US Snapchat account holders online.

In a report published on 25 December 2013, Gibson Security warned that a vulnerability on the Snapchat app could be used to reveal the phone numbers of users.


The hackers said their aim was to raise public awareness around the issue, and put public pressure on Snapchat to fix the exploit.

The hack highlighted security weaknesses in the Find Friends service, which enables users to find people they know who are also using the service by entering their phone number.

Attackers could use the service to upload a large number of random phone numbers and match them with Snapchat usernames.

Twitter backlash

Snapchat said it does not yet know how many accounts were affected by the latest incident, but users in several countries reportedly took to Twitter to complain about the problem.

Snapchat said that, in “many instances”, the company’s defence systems have notified users whose accounts have been compromised to change their passwords.

Mobile engagement services firm Acision said that, although the latest incident is relatively benign, it still represents a breach of trust.

“App providers are charged with ensuring security, in this instance for sending and receiving personal communications, which could also easily be sensitive information like banking or medical data,” said Acision’s JF Sullivan.

“If providers of messaging services do not make security and customer integrity one of the key pillars in their architecture, it sets itself up for a breach of that trust and, more importantly, a breach of its customer’s most intimate information.”

Read more on Privacy and data protection