In late July, Snap’s director of engineering emailed the company’s team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company’s users: a publicly available list, embedded in a phishing website named klkviral.org, that listed 55,851 Snapchat accounts, along with their usernames and passwords.
The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic, according to emails obtained by The Verge. Not all of the account credentials were valid, and Snap had reset the majority of the accounts following the initial attack. But for some period of time, thousands of Snapchat account credentials were available on a public website.
Snap says it uses machine-learning techniques to look for suspicious links being sent within the app, and proactively blocks thousands of suspicious URLs per year. Users who were affected by the July attack were notified that their passwords had been reset via an email from the company.
In the July case, the company noticed that a single device had been logging into a large number of accounts and began flagging it as suspicious. But thousands of accounts had already been compromised.
It is unclear how long the attack went on, or when the attack Dominican Republic attack had begun. But by the morning of July 24th, Google had blocked klkviral.org from appearing in search results and flagged it as a malicious site for people trying to visit it. (Snap works with Google and other tech companies to maintain a list of known malicious sites.)
The accounts compromised in July represent a tiny fraction of Snap’s 187 million active users. But the incident illustrates how sites set up to mimic login screens can do an outsized amount of damage — and how companies must increasingly rely on machine-learning techniques to identify them in real time.