My teenage daughter thinks my technology job in security is boring most of the time (especially when I talk about it in front of her)- but when she heard about the SnapChat breach, I quickly received a call asking for advice. The user names and phone numbers of many users were breached and exposed. So should my daughter and her friends be worried? Whenever there is a breach or new vulnerability found, there can be a lot of hysteria. Its scary to know that your information was stolen - but there are varying degrees of damage that can be done by breaches. I performed a quick risk assessment for her and thought, given the large numbers of SnapChat users, I would share the results. The outcome? She personally did not need to be very worried – although some might need to be. Here’s why:
- Right now, there is no indication that passwords were exposed. I recommended she change her password anyway just to play it safe. Since I use SnapChat as well to communicate with her, I did the same.
- Her user name, combined with her phone number, doesn’t provide much identifying information about her at all. It could lead to annoying spam texts and calls – but since she is using a respectable user name that is not her full name, the two pieces together do not clearly identify her and should not cause embarrassment. She is almost 20, so we are not very concerned about her receiving content from those she doesn't know - because she can always block those people. Younger kids and their parents should take some precautions.
- New incoming photos can’t be accessed with just a user name and phone number – so new photos coming in are safe as long as passwords weren't breached (and we changed our passwords to play safe)
- Old photos, while remnants remain on her device – are not accessible even if her account was breached because the SnapChat application does not maintain them for user access
- Her name with her phone number is already public information because it is listed on her blog with her resume
So who should be worried and when?
- Parents of younger children (my daughter is almost 20) should be concerned because their kids can be added by people who don't know them and their numbers have been exposed to spammers which may, in turn, expose them to inappropriate content and messages. Downloading a new version of the app released today and opting out of "Find Friends" should definitely be performed with younger kids. Also, making sure younger kids come to you immediately if they see inappropriate content in spam messages on their phone is essential.
- If you have an inappropriate user name, this information combined with your phone number could cause embarrassment.
- If it turns out that passwords were in fact breached – then someone could gain access to new incoming snapchats. There are no reports of passwords being breached I recommend changing passwords now just to play safe
- If the user name contains identifying information and you want to keep your number private (for example – famous people) – then it could cause an issue. In that case, getting a new phone number from your mobile provider is the option to correct it.
Reasonable security decisions – both in businesses and in our personal security online - are about assessing the value of the information combined with the difficulty for an attacker to gain the information. Those who phone numbers were exposed might have some annoyances with spam to their mobile phones – but unless more data than phone numbers and user names were stolen or if you fit the “worry” criteria – that should be the extent of the damage from this breach.