Reports have been circulating that allege Snap, the ephemeral messaging firm that recently went public, suffered a data breach at the hands of anonymous Indian hackers last year, and that the hackers this week leaked the information they supposedly obtained on 1.7 million users online.
The rumor mill started churning after a reporter at India Today, an India-centric news site, picked up the claims of a breach by an unidentified hacker group. News spread further when the Daily Mail, a British tabloid newspaper that has a joint-publishing business relationship with the India Today Group, syndicated the story. The report has since been trotted out elsewhere, including by Newsweek and others.
Fortune decided to take a look at the supposedly leaked data to see whether the alleged hackers’ claims had any basis in fact. As expected, some digging revealed the claims were likely to be false and misleading, which is hardly a surprise. Hackers (for lack of a better term) have a habit of hyping claims and playing the media to advance their own agendas.
According to the original report, the alleged hackers published stolen information “on the darknet.” In reality, the only dump Fortune could locate appeared on Ghostbin, an open source text storage site that exists on the deep web, where search engines do not index the contents of webpages. (Dark web sites, in contrast, often manifest as Tor hidden services, encrypted web addresses that require special software, like the Tor browser, to access them.)
June 5th: The AI Audit in NYC
Join us next week in NYC to engage with top executive leaders, delving into strategies for auditing AI models to ensure fairness, optimal performance, and ethical compliance across diverse organizations. Secure your attendance for this exclusive invite-only event.
The dataset on Ghostbin contained more than 4,000 rows of entries, each displaying what appeared to be usernames and phone numbers (where the last two digits were blurred out) for people based only in the United States — far fewer than the 1.7 million compromised accounts originally claimed. There were no passwords present.
Suspicious that this haul might have been repurposed from an earlier data exposure, Fortune cross-referenced its contents with a leak of Snapchat user data that occurred more than three years ago. At that time, an attacker had abused a Snapchat address book API, a tool related to the app’s “Find Friends” feature, in order to harvest and leak usernames and phone numbers for 4.6 million accounts. The incident contributed to the company’s eventual settlement with the U.S. Federal Trade Commission in 2014 over misleading privacy and security practices. (Snapchat has since said that it has secured its systems against similar attacks in the future.)
By Fortune’s assessment, the recently posted Ghostbin dataset and the 2013 dataset — a copy of which Fortune obtained through the file sharing network BitTorrent — were a match. They contained the same data, including usernames and phone numbers featuring blurred-out digits. One difference, however, was that the newer dataset was three orders of magnitude smaller than the original.
Judging by this, it appears that the supposed hackers did merely repurpose a portion of an old data leak, a common tactic in the digital underworld. Fortune’s analysis matches an evaluation by Rojan Rijal, a security enthusiast and frequent bug bounty program participant, who found much the same in the course of his own investigation.
“Snapchat was not exactly hacked and the hackers just pasted an old data that was published online,” Rijal wrote on his personal Tumblr blog on Monday.
Fortune also consulted several threat intelligence firms, none of which had turned up any new leaked Snap data either. They too had discovered only the aforementioned 3-year-old user data.
Andrei Barysevich, director of advanced collections at Recorded Future, a digital intelligence shop based in Somerville, Mass., said that his team “closely monitors hundreds of criminal communities, and as of this morning, we were unable to identify any recent Snapchat data leaked to the dark web beyond the 4.6 million records stolen during the 2014 hack.”
In separate emails, other threat intelligence firms, such as Flashpoint and FireEye’s iSight Partners, agreed.
Snapchat’s security team, for its part, has also not been able to turn up anything new. “We have not seen anything that would suggest these claims are accurate,” a Snap spokesperson told Fortune in an email, in reference to a question about the hackers’ claims. “We take the safety of our community and the security of our service very seriously. Our team is continuing to investigate.”
The simplest conclusion is that the alleged hackers got their hands on the earlier dump and published a portion. If one had to speculate, they likely did so to pile on to the ongoing PR debacle facing Snapchat in India.
According to the original story, the hackers claimed to leak the alleged Snap user data in retaliation for comments allegedly made by Snap CEO Evan Spiegel in 2015. At that time, Spiegel allegedly said he was not interested in bringing the service to “poor countries like India and Spain,” a lawsuit by a former Snap employee alleges. Snap, on the other hand, vehemently disputes that Spiegel ever said anything to that effect.
Despite this, the assertion in the court filing sparked calls for a boycott of the app in India a few days ago. “#BoycottSnapchat” even began trending on Twitter, a movement helped by the fact that India is one of the world’s largest markets.
To sum up: Barring any further evidence, the reports of a new Snap hack appear to be bogus. Hackers likely just used the opportunity to co-opt uncritical media outlets to further thrash the company.
This story originally appeared on Fortune.com. Copyright 2017
