tech

Snapchat CEO: 'We thought we had done enough' to prevent hack

Jan. 3, 2014 at 8:11 AM ET

Video: Evan Spiegel, 23, CEO of the popular photo-sharing app, speaks out about the site’s massive security breach, downplaying earlier reports that the company had been warned that the site was vulnerable.

Just days before Snapchat was hacked for the private account information of millions of users, a security company warned that the popular photo messaging app was vulnerable. Nonetheless, Snapchat's CEO thought the company had adequately prepared for an attempted breach, he said on TODAY Friday.

“I believe at the time we thought we had done enough,’’ CEO Evan Spiegel told Carson Daly in an exclusive interview. “But I think in a business like this and a business that is moving so quickly, if you spend your time looking backwards, you're just going to kill yourself.”

On New Year’s Eve, a website called SnapchatDB.info went online, offering a database it said contained the usernames and phone numbers of 4.6 million Snapchat accounts. The popular app that lets people send photos or videos that are deleted shortly after they are viewed was hacked using the site’s “Find Friends” service, according to Spiegel.

Australia-based Gibson Security had been warning for months that Snapchat’s app code had holes in its security, and on Dec. 25 posted an online report that explained how it could be hacked for user account information.

“We call it abuse of the ‘Find Friends’ service,’’ Spiegel said. “A tool we developed to help Snapchatters find their friends was used by someone to find usernames of people that weren’t their friends. This person had 4.6 million friends in their address book, and they [the hackers] were able to match those phone numbers to usernames and then release that list.”

The “Find Friends” service is optional, and Snapchat announced following Spiegel’s interview with TODAY that it has released an update to the application that the company believes will close the gap in security. Spiegel added that no pictures or videos were compromised, and that all “snaps” are deleted after they are viewed.

“One important thing about the Find Friends service is that it is optional,’’ Spiegel said. “If you would prefer to not have people to be able to search for your phone number and find your username, that's fine.”

The SnapchatDB.info site was taken down by Wednesday morning, but several visitors claimed they were able to download the database, including a TechCrunch reader who found his own number and Spiegel’s number. The anonymous group behind the hack released a statement to several media outlets on Wednesday.

“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,'' the statement read. "It is understandable that tech start-ups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.”

Spiegel, 23, is trying to reassure Snapchat’s users, who send 350 million images a day, according to the company.

“Technology businesses in general are susceptible to hacking, and that's why you have to work really, really hard with law enforcement, with security experts, [and] internal and external groups to make sure you are paying attention and addressing security concerns,’’ Spiegel said. “The key is striking a balance between providing [the] utility of a friend service and preventing abuse, and that is something we are always working on.” 

TOP