Sketchy Snapchat backup services leave users exposed

Despite Snapchat's self-proclaimed efforts to shutter third-party services, a new hack of the service -- popular with teens -- exposes an enormous library of user photos and videos.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Ian Sherr Contributor and Former Editor at Large / News
Ian Sherr (he/him/his) grew up in the San Francisco Bay Area, so he's always had a connection to the tech world. As an editor at large at CNET, he wrote about Apple, Microsoft, VR, video games and internet troubles. Aside from writing, he tinkers with tech at home, is a longtime fencer -- the kind with swords -- and began woodworking during the pandemic.
Seth Rosenblatt
Ian Sherr
4 min read


Third-party services that let Snapchat users back up their photos and videos -- and that Snapchat claims it tried to shut down -- are at the center of the latest Snapchat hack.

An enormous, 13-gigabyte library of photos and videos from an estimated 200,000 accounts had been saved through apps and websites not affiliated with Snapchat has been hacked. Snapchat popularized "ephemeral" messaging services, which claim to delete messages after they are viewed.

A close read of Snapchat's privacy policy indicates that the service would not be in violation of any of its publicly-posted policies to keep messages long after users think they've been deleted. The policy states that "there may be ways to access Snaps" on your device even after the app has deleted them.

That appears to have been the case with the two third-party services that are suspected of being at the center of the hack, details of which were first reported by Business Insider on Friday. SnapSave, an Android app, and the similarly named SnapSaved, a website that closed down several months ago, allowed Snapchat users to read messages outside of Snapchat's app. They also appear to have created backups of messages.

It's not clear if the backups were created intentionally, or if the services were created with the express purpose of storing Snapchat messages without the knowledge or permission of Snapchat users.

Snapchat put the blame squarely on the shoulders of its users, and said, "Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users' security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed."

"What we do know is that our servers have not been breached and no Snaps have been leaked from our servers," Snapchat spokeswoman Mary Ritti told CNET.

The company did not answer questions about what steps it has taken to warn its users about these third-party services aside from its Terms of Service.

Chris Eng, vice president of research at computer-security research firm Veracode, said Snapchat has "a history of not taking security seriously."

"SnapSave was in the [Google Play Store] since 2013. That alone suggests to me that they're not being very aggressive" about policing third-party apps, Eng said.

He added that Snapchat was slow to adopt encryption, a common tool to protect Internet traffic from snooping, and that Snapchat's initial implementation of encryption was weak because they used only a "single encryption key."

"I would bet that they've never had an independent security review," Eng said, referring to a common way for companies to evaluate how tough their security is.

Snapchat is best known for offering something Facebook and Twitter don't: A way to send messages without having to think about what they'll look like a few years from now. When customers send each other photo or video "snaps," recipients can view them for a short amount of time before they disappear. Snapchat debuted in 2011.

The service has now become one of the titans of the social-networking industry, particularly attracting users aged 18 to 24. One estimate says that half of Snapchat users are teenagers between 13 and 17 years old.

Facebook reportedly attempted to buy the firm for $3 billion last year, in addition to fielding two apps of its own that attempt to offer similar functionality. In August, ComScore said the app had become the third-most popular social media app in the US, behind Facebook and its photo-sharing service Instagram.

The Snapchat-related breach comes a month after hackers cracked open Apple's iCloud service to steal celebrity photos, many of which depicted the celebrities in nude or sexual situations.

Actress Jennifer Lawrence spoke to Vanity Fair about the iCloud hack. "It is not a scandal. It is a sex crime," she said, calling the hack a "sexual violation" and attacking the sites that host the photos as "disgusting."

Victims of the Snapchat hack are left with little recourse. While celebrities have used their star power to threaten Google with a lawsuit for linking to images stolen from iCloud, Snapchat users so far do not appear to be linked. Contacting the administrators of websites that are hosting the images may be the only way to get photos and videos from Snapchat removed, and there's no guarantee that will work.

Not all ephemeral messaging services are as open to third parties as Snapchat. Wickr, a similar service that not only can delete messages after they've been sent, but also encrypt them so that not even Wickr employees can see what users are sending to each other, prevents third-party services from accessing its servers.

Wickr's Android app is prevented from taking screenshots. But users can take screenshots in Wickr on an iPhone because Apple doesn't allow developers to disable screen-capturing in iOS.