According to a recent report from The Verge, a phishing attack exposed the Snapchat credentials of 55,851 accounts late last July. The report reveals that the company’s director of engineering emailed the team in response to a privacy threat.
The threat was brought to their attention by a government official from Dorset in the UK, who pointed out that a phishing website, called klkviral.org, was hosting a list of stolen credentials of over 50,000 Snapchat accounts.
Emails obtained by the The Verge later revealed that the attack was connected to a previous incident that the company believed was coordinated from the Dominican Republic. The report further states that not all the account credentials were valid and Snapchat reset a majority of the accounts following the initial attack. However, for a brief period of time, thousands of Snapchat account credentials were publicly available on the website.
A person familiar with the matter told the publication that the phishing attack relied on a link sent to users through a compromised account, which redirected to a website that was designed to mimic the Snapchat login screen. In order to fix the issue, Snapchat has now implemented a warning which prompts users if they attempt to click on a link to klkviral and other known phishing websites.
A Snap spokesperson told The Verge:
“We are very sorry when anyone is tricked by phishing…While we can’t prevent people from sharing their Snapchat credentials with third parties, we do have advanced defenses to detect and prevent suspicious activity. We encourage Snapchatters to always use strong passwords, enable login Verifications, and never use third-party apps or plugins.”
Snap claims that it uses machine-learning techniques to identify suspicious links being shared within the app and proactively blocks thousands of suspicious URLs per year.
The company further noted that users who were affected by the phishing attack in July were notified that their passwords had been reset via an email from the company. The report also notes that by the morning of July 24, Google had blocked klkviral.org from appearing in its search results and flagged it as a malicious website.