In late July, Snap’s director of engineering emailed the company’s team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company’s users: a publicly available list, embedded in a phishing website named klkviral.org, that listed 55,851 Snapchat accounts, along with their usernames and passwords.
The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic, according to emails obtained by The Verge. Not all of the account credentials were valid, and Snap had reset the majority of the accounts following the initial attack. But for some period of time, thousands of Snapchat account credentials were available on a public website.
According to a person familiar with the matter, the attack relied on a link sent to users through a compromised account that, when clicked, opened a website designed to mimic the Snapchat login screen. Many companies, including Facebook, scan links as they are sent in an effort to identify pages that mimic their login screens and block them accordingly.
“We are very sorry when anyone is tricked by phishing,” a Snap spokesman told The Verge. “While we can’t prevent people from sharing their Snapchat credentials with third parties, we do have advanced defenses to detect and prevent suspicious activity. We encourage Snapchatters to always use strong passwords, enable login Verification, and never use third-party apps or plugins.”
Snap says it uses machine-learning techniques to look for suspicious links being sent within the app, and proactively blocks thousands of suspicious URLs per year. Users who were affected by the July attack were notified that their passwords had been reset via an email from the company.
In the July case, the company noticed that a single device had been logging into a large number of accounts and began flagging it as suspicious. But thousands of accounts had already been compromised.
Chad DePue, the director of engineering, also directed a member of the company’s legal team to ask the website’s host, GoDaddy, to take it down. (GoDaddy declined to comment on the attack, saying it would violate user privacy.)
It is unclear how long the attack went on, or when the attack Dominican Republic attack had begun. But by the morning of July 24th, Google had blocked klkviral.org from appearing in search results and flagged it as a malicious site for people trying to visit it. (Snap works with Google and other tech companies to maintain a list of known malicious sites.)
The accounts compromised in July represent a tiny fraction of Snap’s 187 million active users. But the incident illustrates how sites set up to mimic login screens can do an outsized amount of damage — and how companies must increasingly rely on machine-learning techniques to identify them in real time.