I suppose the good news is that if, like me, you never signed up for a Snapchat account, you don’t need to do anything (with regard to this Snapchat info-breach). Except there is no good news, because what’s apparently just happened to Snapchat — the leaking of over 4.6 million North American Snapchat users’ phone numbers and usernames, extricated by a group that says it wants to spotlight Snapchat’s security issues — could happen to just about anyone using any online service or tool (as we’re perennially reminded, breach after breach).
Snapchat, for those who’ve never heard of or used it, is a popular photo-sharing app: broadly Instagram-like, but with little quirks, like the ability to doodle on photos, or set them as viewable for select periods of time. Business-wise, it’s another one of these companies that’s not making any money, but insanely high-valued nonetheless (presumably based on the assumption that it’ll eventually succumb to spamming users with ads). Rumor has it both Facebook and Google have made acquisition overtures, but in both instances Snapchat CEO Evan Spiegel declined.
Last month, the app’s security robustness took center stage: a group calling itself Gibson Security published information outlining alleged Snapchat vulnerabilities, just as Santa was tiptoeing down chimneys on Christmas Eve. The group added that its attempts to warn Snapchat of these vulnerabilities had been rebuffed since August. Snapchat responded to Gibson Security’s claims on December 27 with a press statement that now reads a bit like chutzpah:
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do.
Not so difficult, it seems: The folks behind Wednesday’s multimillions info-dump say they used a modified version of the Gibson Security method to extract Snapchat users’ phone numbers and usernames, then posted it to a .info website dubbed SnapchatDB (don’t bother looking, the site has since been suspended).
To sum up: self-styled security group says it spent months warning Snapchat about potential exploits, Snapchat shrugs, then days later, another group makes good on the exploit. The speed at which it all went down is…well, not so surprising in 2014, sadly.
The lesson, and it’s one that keeps coming up like Bart Simpson scribbling aphorisms on a blackboard, is that your information is not secure online — no matter the company, no matter the safety claims. It’s also not perfectly secure in a physical safe locked in a vault buried five miles under the Marianas Trench either, but we’re talking about differences in speed and scale: there’s no offline parallel to tapping millions of private accounts and disseminating that information globally in a matter of days or hours.
What can you do? Start by changing your Snapchat password, and by password, I mean gibberish. I prefer Strong Password Generator’s character randomizer, because it lets you include punctuation, including blank spaces (ideal — just surrender to the notion that you’re going to have to record this somewhere) as well as raise the character limit (want a 100-character password?) to the point of serious inscrutability.
The next step, and it’s a painful but critical one-time process, is to survey your online footprint and repeat this procedure for all of your accounts. I suspect most still use one or two account names and passwords for most things because it’s convenient and we’re still laboring under the illusion that brains are our safest depositories. Trouble is, once just one of those accounts is compromised, you’re looking at a far more arduous task: changing the password for all those other accounts, whether directly compromised or no (if you think just changing the password on the breached account takes care of business, you’re basically rolling out the red carpet).
Which brings us to the crux of the hassle in doing this: almost no one has an eidetic memory. How do you reconstitute a giant string of gobbledygook in a pinch?
You can’t, which means you’re going to need to store this information somewhere, possibly in an encrypted document (for easy copy-and-paste), and ideally in an offline location. I’ve been investigating solutions for this very purpose, say something like a heavily encrypted USB key you could attach to, then disconnect from a computer.
This assumes you’re using a device with USB connectivity, of course, which eliminates most smartphones and tablets (problematic because of copy-and-paste idiosyncrasies, especially with random character strings). Some people use a master online document accessed with a singular mnemonic password, which solves the USB storage problem assuming your phone or tablet can access the online document, but this also introduces the obvious elevated risk that if someone accesses said storage solution, they’ve have detailed access to all of your accounts.
My preference, as an iOS user, is to set up my iPhone or iPad and leave myself logged in so I don’t have to re-enter passwords, depending instead on the phone’s screen-locking mechanisms (and remote bricking options, if the phone’s ever lost) to keep things reasonably secure.
An alternative, for accounts where you’re likely to have to re-enter password info, is to use sophisticated mnemonics, say combinations of numbers, case-sensitive letters and words that substitute characters for certain vowels or consonants, but limit them to a handful of accounts. (Apple requires you periodically re-log in to install new App Store apps in iOS, for instance. Or say you’re accessing your Gmail on a public computer: you probably don’t want to have to whip out a USB key, much less expose that key to a foreign computing environment.)
Don’t forget to enable a service’s extra security precautions if they’re available, say having the service text you an authentication code to confirm each login. It’s a pain, yes, but it’s also where we live in 2014. You can’t force a company to take security as seriously as it ought to, and you certainly can’t hermetically isolate yourself from determined hackers, but you can make yourself less vulnerable. Online security is a shared responsibility. We can and should expect companies like Snapchat to do better, but in the meantime, you can make yourself worlds safer by structuring your online footprint such that each breach is at least containable.