Lessons from the data breach at Snapchat
Though most people wouldn’t give their phone number to a stranger on the street, they’re happy to share their digits with Google GOOG -0.73% , FacebookFB -0.28% , and other sites. But as millions of young Snapchat users just learned, phone numbers are valuable information to hackers.
On Wednesday, Snapchat became the first company to have its data hacked in 2014 when 4.6 million account usernames and partial phone numbers were posted online as a warning to those using the photo messaging service. “Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” the alleged hackers told tech site TheVerge.com . A spokeswoman for Snapchat declined to comment, but the company released a blog postsaying it’s added counter-measures “to combat spam and abuse.”
Consumers should be wary about sharing their mobile numbers, security experts say. “Phone numbers are unique identifiers that tend to last for a long time,” says Michael Fertik, CEO at Reputation.com, a site that helps consumers protect their privacy online. “You change your phone number much less often than your IP address and probably even your home address.” While Snapchat users have fake usernames, many people use the same I.D. across a range of social networks, says Graham Cluley, a U.K. security blogger and technology consultant. “Use a different user I.D. than the one you use publicly on Facebook and Twitter,” he says. What’s more, typing just a mobile number into Facebook will reveal the profiles of the owner if he or she added it to their account information.
Snapchat’s alleged data breach is also a misstep for a company founded on the principle of preserving your online anonymity. Launched in September 2011, social networkers can send “Snaps”—photos or videos—that last between 1 and 10 seconds, depending on the time limit set by the sender. The service—which reportedly spurned a $3 billion offer from Facebook last November—has over 100 million users and shares 400 million snaps daily. “It’s embarrassing for Snapchat,” Cluley says, but could be more embarrassing for its users. After all, photos can be saved by recipients who “screen-grab” them in time. “These photos and mobile numbers could potentially be used for cyber-bullying and blackmail,” he says, especially if they’re connected to a real name.
Hackers can also fake a caller I.D. by using your number to sidestep a security step, says Bo Holland, founder and CEO of AllClear ID, an identity protection firm. Even without a real name, however, consumers can be spammed with text messages—known as “smishing”—asking people to click on links that contain malware—a virus that can retrieve data stored there: photos, contact lists, emails and passwords. “Phone numbers are a building block for hackers,” says Adam Levin, co-founder of online security company Identity Theft 911. Some 37.3 million Internet users faced phishing attacks in 2013, an 87% rise over the last three years, according to a survey from online security company Kaspersky Lab. “Smartphones are not just communication devices,” Levin says. “They are data storage devices.”
So why do companies want your mobile number? “It’s is a necessary and useful part of e-commerce,” Fertik says, “but you should not give it without a specific reason.” For those waiting for a package or taking a flight, for example, it helps to receive a text message about delays. Plus, mobile numbers can be a useful two-factor authentication, says e-commerce consultant Bryan Eisenberg. Step 1: input your username and password to your email, social networking or bank account. Step 2: receive a text message to validate any changes. This can also be done with a secondary email address or Google Voice number that redirects calls and texts to your cell; for that reason, Eisenberg has given his mobile number to Google, but hasn’t given it to Facebook. He doesn’t have a Snapchat account.