Snapchat on Friday was targeted by a phishing attack that resulted in some payroll information of its employees being inadvertently revealed.
With more than 100 million daily active users, Snapchat is a highly popular social networking service aimed mainly at teens and millennials who can share short photos and videos with their friends and followers. According to the company, it tops over 7 billion video views every day.
In a blog post, Snapchat notes that the phishing attack resulted in some payroll information about its employees being revealed, but that its servers were not breached and user data was not exposed in any way. However, the phishing scam did result in the identities of a number of Snapchat employees being compromised.
The company explains that the attack was an isolated email phishing scam that was specifically targeted at the payroll department. The scammers impersonated Snapchat Chief Executive Officer Evan Spiegel, and apparently did it in a very convincing manner, given that the email seemed legitimate enough for an employee to provide the attacker with the requested information.
Snapchat says that the incident impacts both current and former employees, but did not reveal the exact number of affected people. However, the company did manage to identify which employees had their data leaked and has informed them on the matter.
According to Snapchat, it was able to determine that the incident was an isolated attack within four hours after its occurrence. The company has alerted the FBI on the matter.
The company also says that it plans on investing more in preventing similar incidents from happening again, mainly through improved employee training programs.
“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong. To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks,” Snapchat notes.
Social engineering represents one of the most used data stealing techniques in today’s threat landscape, mainly because people are one of the best exploits, as Proofpoint explains in its Human Factor 2016 report. Over 98 percent of the malicious emails sent last year required human interaction to infect a target, the report revealed.
In a December 2015 SecurityWeek column, Bill Sweeney, the US financial services evangelist of BAE Systems Applied Intelligence, explains that companies can protect against social engineering by implementing technologies that tackle it and by training employees.
“Today, one of the best ways to defend against social engineering is to beef up security through employee education. In combination with technology solutions, employee education can help build awareness to common social engineering techniques, such as phishing,” Sweeney said.
However, while education is important, it will never solve the problem of employees eventually falling for crafty and targeted phishing attacks.