A Snapchat payroll employee opened the wrong email last week to damaging consequences.
The message was a phishing scam that impersonated Snapchat’s CEO Evan Spiegel.
In the email, a hacker posing as Spiegel requested payroll information for existing and ex-employees. The hacker then exposed that information to the outside world.
Snapchat issued a public apology to its workers in a blog post on Sunday.
The incident took place on Friday, according to the post. Within four hours, the startup confirmed that it was an “isolated” problem and reported it to the FBI.
Luckily, no servers were breached. No user data was taken. But “a number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry,” Snapchat says.
The startup has contacted all of the employees who were impacted by the scam, and offered them offered two years of identity-theft monitoring and insurance. Snapchat says it has strengthened its training programs too.
Phishing scams like this one are simple by design — a malicious actor pretending to be a trusted source. But its effects can be disastrous and complicated, as the Sony hack proved. All it takes is duping the one person who has all the right keys.
The way that Snapchat secures information has been of public interest since 2013, when the app started to gain massive popularity.
At the end of that year, cybersecurity researchers warned the company that hackers could find a way to expose people’s identities by linking phone numbers with user names.
Snapchat didn’t heed those warnings properly, and a day into the 2014 New Year, a database of 4.6 million numbers and user names were leaked online. The startup’s security problems escalated further that year when hackers also raided a third-party app and stole tens of thousands of photos and videos.
Since those breaches, Snapchat has been sensitive to the way it responds to any security-related issue. The startup has been quicker to admit to, apologize for, and fix its mistakes.
“We’re a company that takes privacy and security seriously,” Snapchat’s latest explanation reads. “So it’s with real remorse–and embarrassment–that one of our employees fell for a phishing scam.”