Another day brings another reminder that sending nudes isn’t exactly safe, even if the app you’re using to send those photos claims they vanish. Ephemeral messaging app Snapchat is now facing questions about third-party apps that use its API to save snaps—unbeknownst to the sender—after one service, SnapSaved, was hacked over the weekend.
About 90,000 photos and 9,000 videos were stolen from SnapSaved’s servers, according to The Daily Beast, in a hack that affects more than 200,000 Snapchat users. Because Snapchat itself wasn’t targeted in the hack, the company is backing away from any responsibility for the breach.
“We can confirm that Snapchat’s servers were never breached and were not the source of these leaks,” Snapchat told The Daily Beast. “Snapchatters were victimized by their use of third-party apps to send and receive snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”
Why this matters: Snapchat alerts users when someone has taken a screenshot of their photo, but a slew of third-party services using Snapchat’s API exist simply to help users save snaps. Even if Snapchat is actively cracking down on those apps, a cursory search of the App Store and Google Play turns up plenty of services that do exactly what SnapSaved did—and might be vulnerable to the same type of hack.
Screenshots, snaps, and third-party apps
In a Tuesday blog post, Snapchat said security is basically up to you: Don’t use third-party apps or services that require your Snapchat login information.
“The best way to keep our community safe is a combination of security countermeasures and common sense,” the company said. “We’ll continue to do our part by improving Snapchat’s security and calling on Apple and Google to take down third-party applications that access our API. You can help us out by avoiding the use of third-party applications.”
The company said that it doesn’t offer a public API and restricts its private one because “takes time and a lot of resources to build an open and trustworthy third-party application ecosystem,” but the SnapSaved hack proves it’s too easy to tap into Snapchat’s API to save data. It might be unauthorized, but the fact that Snapchat’s private API can be used that way—and that users don’t even know that their images are being captured by third parties—is troubling.
The Federal Trade Commission agrees. The agency has taken Snapchat to task for marketing its messages as disappearing when it’s so easy to save them. Snapchat settled with the FTC in May, but it’s clear that its security issues are ongoing.
In the meantime, the story keeps unfolding. A security researcher told The Guardian that 13GB of content collected over a year’s time was released in the hack, which flouts SnapSaved’s claims that only 500MB was stolen from its servers. Plus, Re/code said that SnapSaved’s founders are requesting payment for interviews. Details about the kinds of images and videos that were leaked are still murky, and it’s unclear what recourse, if any, Snapchat users have against these unauthorized services. Because no celebrities were involved (that we know of), it’s unlikely that Snapchat will face the same pressure Apple did in the wake of the iCloud hacks to improve its security measures and prevent future thefts.