The Snappening – over 90,000 Snapchat pictures and videos leaked
4 chan has struck again. First there was the celebrity nude leak scandal Fappening, and now there is the Snappening. For a brief history, on August 31, 2014, a collection private and nude pictures of almost 100 female celebrities were posted on the image sharing website 4chan.org. These were later shared by other users on websites and social networks such as Imgur, Reddit and Tumblr. The world got to see very intimate pictures of some of Hollywood’s largest stars. These included Jennifer Lawrence, Kate Upton, Nicky Minaj, Selena Gomez, Scarlett Johanson, Rihanna, Hillary Duff, and Demi Lovato, among others.
This time though, it’s not just nude photos from 100 celebrities. It is nude photos and videos from potentially hundreds of thousands of Snapchat accounts hacked by users of the same website. In what could possibly be one of the largest data breaches of online profiles, members from the website 4chan.org claim to have gained access to over two hundred thousand Snapchat accounts. They accomplished this by hacking the cloud service Snapsave. To put this into perspective, just imagine the celebrity nude scandal. Now replace iCloud with Snapsave and blow this up by hundreds of thousands of accounts. Now you have the Snappening.
As an attempt to create awareness of the pitfalls of online security and the vulnerabilities of security in the cloud, I followed the threads on the website 4chan.org with the title “Snappening” and decided to take screenshots of the whole event as it unfolded. I then uploaded these screenshots to my blog, including the link that someone posted with almost 100,000 of the hacked images, after the service had been pulled down. I posted the article at Thursday October 9th, at 11:30 PM (23:30) PST with all the details, added some tweets to my bufferapp, then went to bed. When I awoke, things got heavy.
Because of the crushing amount of traffic to the website, this article was unavailable for part of the day on Friday October 10th, 2014, and again today, October 13, 2014. As a result I have removed the original screenshots I took of the folks over at 4chan except for the initial screen capture of the 4 chan announcement. I have also provided links at the bottom of the page of the news outlets that provided details about my role in the “Snappening” event.
1:30 PM (13:30) PST October 14, 2014
More information has come to light about the developers of the third party app Snapsaved. Meanwhile members of the site 4 chan continue to pore over the contents of thousands of images taken by users of the Snapchat messaging service that were recently leaked from a third-party website. The developer behind that site SnapSaved.com, who has not yet been publicly identified, used a Facebook post to say the site was hacked because of a misconfigured Apache server. The statement also gets into the extent of the breach, while playing down reports that personal information from the users involved was also taken. Below is a screen capture from the facebook post.
The developers also claim that as of one year ago, over 10,000 users of Snapchat were using their service. Security experts have determined that the contents of the torrent file being circulated from this leak are the full contents of the Snapsaved.com server, based on timestamps and other data. The file includes 88,521 still images and 9,173 videos, totalling 97,694 files at 12.9 gigabytes. The good news is that it does not appear to be possible to correlate files to snapchat usernames in the majority of cases.
8:30 PM (20:30) PST October 13, 2014
Unfortunately today I experienced another website outage. Traffic generated to my blog has been so significant that my previous host was unable to continue to host my website. As a result I have changed over to a new host, and have also updated the title of my article to accurately reflect the details of the leak. The original title was “The Snappening – 200,000 Snapchat accounts hacked”. Although the exact number of Snapchat accounts that were hacked has not been verified, it has been confirmed that over 90,000 pictures and videos have been released as a torrent file available for download on various websites.
When this story first broke, someone posted the link to my article on Reddit, and then it was picked up by news outlets. Throughout this whole event, my analytic information shows that over 50% of my total traffic has been from several threads from that site. I have monitored those threads and have enjoyed some of the comments and arguments that they have been presented. Because of this, I thought I’d give some love back to the Reddit community that started it all.
I have started writing my next article tentatively titled “Best practices for keeping your data safe on the cloud”. This is a follow up to the events of the “Snappening” which falls on the heels of the previous major data breach, the “Happening”. I will be posting this article later this week, so stay tuned!
12:30 PM (12:30) PST October 12, 2014
One of the posters on 4 chan seemed to back up the claims by Snapchat that they were not involved in the leak in any way. The poster alleges that it was the third party site Snapsave that was the source of the leak.
On the day the group of people announced that they had retrieved the hacked Snapchat images and videos, they stated that it was their intention to build a website, complete with a search engine, that would allow a visitor to see the pictures of a person that had been leaked, by their Snapchat ID. However, as time goes on, it seems less likely that this site will actually come to fruition. Because 4 chan has been removing every thread related to the “Snappening” event, a group of people has moved to another underground site to post information related to the event. Below is a screen capture from that site showing that even they don’t believe the website will be built.
I will continue to monitor the chatter and sentiment about this event and post updates whenever possible.
10:30 AM (10:30) PST October 11, 2014
It looks like there is now a torrent that is circulating the internet with the leaked snapchat pictures. Users of the site 4 chan have been commenting on how slow it has been taking to download the approximately 13 gigabytes of pictures and videos. Below are comments about the speed of the torrent download:
I have previously reported that the people involved in this hack are planning on making a searchable website by tomorrow. By the sounds of the sentiment on the boards, it probably won’t matter if that website is built, because 90% to 95% of the images will not be nudes, and that is what they are most interested in. The images that are nudes will most likely be removed if they can’t verify the age of the person in the picture.
8:30 PM (20:30) PST October 10, 2014
Just completed an interview with John Langler from King 5 news in Seattle. I have been told by friends that they saw the interview air on Northwest Cable News channel, but have yet to receive a copy.
6:00 PM (18:00) PST October 10, 2014
What a whirlwind adventure these last 24 hours have become. I awoke this morning to an explosion of emails, tweets and my website that had ground to a halt because of sheer amount of traffic. After I went to bed, my article was picked up by Reddit, and then Forbes followed by several other news media sites. Here is the original announcement posted on 4 chan claiming that the site Snapsave had been compromised.
In the first couple hours of the event, there was a little confusion about the intentions of my blog; some people thought that I was the one posting the leaked Snapchat images on my website. Others thought that I had created an elaborate hoax to grab attention. Fortunately, Kashmir Hill from Forbes interviewed me over the phone and clarified the story. You can read her article here:
The information in her article was verified by a another article that was simultaneously written by James Cook at Business insider. http://www.businessinsider.com/snapchat-hacked-the-snappening-2014-10
Unfortunately It appears that this “Snappening” event will not be going away any time soon. I have since received emails from members of 4chan stating that it’s not over. They have told me that their original plan was, and continues to be, to take the leaked images and database that they hacked, and create a website where anyone will be able to search for their favorite snapchatter for nude pictures. They have set a temporary deadline of October 12, 2014.
Another blogger, Brian Koerber provides some great details about the confusion from the media and some clarification from the users of 4chan:
The implications of this leak are very complicated, as some of the images will most likely be of underage teens. I wanted to point out that I was never involved in this event, outside of simply providing an objective timeline of the events as they unfolded.
On Sunday October 12, 2014, I will begin writing a follow up article about security in the cloud, and best practices for mobile apps. Basic rule of thumb… If you don’t want a compromising picture to be seen by anyone, DON’T UPLOAD IT to any cloud service, or mobile app. They are simply not safe and can’t provide you complete privacy.
Thank you to everyone that has contacted me via twitter and email. I appreciate all your support and comments.
Come on now, don’t be shy. Feel free to give us a comment and tell us what you think!