In late July, Snapchat’s director of engineering emailed the company’s team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snapchat with information about a recent attack on the company’s users: a publicly available list, embedded in a phishing website named klkviral.org, that listed 55,851 Snapchat accounts, along with their usernames and passwords.
The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic. Not all of the account credentials were valid, and Snapchat had reset the majority of the accounts following the initial attack. But for some period of time, thousands of Snapchat account credentials were available on a public website.
According to a person familiar with the matter, the attack relied on a link sent to users through a compromised account that, when clicked, opened a website designed to mimic the Snapchat login screen. Many companies, including Facebook, scan links as they are sent in an effort to identify pages that mimic their login screens and block them accordingly.
“We are very sorry when anyone is tricked by phishing,” a Snap spokesman told The Verge. “While we can’t prevent people from sharing their Snapchat credentials with third parties, we do have advanced defenses to detect and prevent suspicious activity. We encourage Snapchatters to always use strong passwords, enable login Verification, and never use third-party apps or plugins.”