Snapchat employees abused data access privileges to spy on users

ThreatPost, May 24, 2019, with comments by Willy Leichter

Report finds Snap employees misused privileges of internal SnapLion tool to access Snapchat user data; experts warning that insider threats a top challenge for privacy

In Q3 of 2018, Snapchat had 186 million users. SnapChat’s mother company - Snap – is on the defensive after last week’s report that Snap employees abused the access privileges they had to those user’s accounts. They violated SnapChat user’s privacy by not just accessing but actually spying on their data – including location data, phone numbers and saved Snaps.

One of the tools they used, SnapLion, was initially designed to collect data for law enforcement requests and court orders. But researchers discovered some employees were taking advantage of the tool, going outside the purpose of law enforcement to collect information like email addresses for personal reasons.

Can organizations trust employees who have access to private user data?

Organizations have valid reasons for giving their employees the capability of accessing volumes of user information. But they are severely challenged when it comes to trying to prevent all of those employees from violating their privileges. The employees who spied on users accessed information that was potentially quite personal. The information included saved Snaps, which contain photos and videos exchanged between users. These photos and videos self delete after they are opened, but senders have the ability to save them. The employee-spies also accessed location, email, and phone numbers on the user accounts.

Should Snap and other social companies enforce more restrictions?

Along with frustration and concern, the report is raising a lot of eyebrows and questions. Perhaps it makes sense for Snap not to allow as much access as it has. And, Snap should potentially increase its tracking and restrictions on employees’ access to data. The report reveals that Snap already has some restrictions in place – such as a log-in system that allows companies to track who uses the system and how closely they’re able to track their users. Snap has also claimed it already provides data monitoring and restricts access to internal tools, like SnapLion, to those who profess to really need it.

Other security measures Snap has put in place include requiring users to log into a system the enables the company to track users, systems and data on the fly, as well as what data is accessed. But former employees have reported the logging tool isn’t foolproof. But clearly this wasn’t at all sufficient to prevent this major violation.

Snap isn’t the only one violating privacy

Insider threats are attacks that organizations are constantly worried and on guard about. Such threats are an increasing concern industry-wide, confirmed by the recent Verizon Data Breach Investigation Report (VBIR). The report, published this month, says “privilege misuse and error by insiders account for 30 percent of breaches.” See our article, The 2019 Verizon Data Breach Investigative Report Is Out – Shows Major Perimeter Weaknesses for Enterprises.

Another even bigger social media company – Facebook – is also on the hook for many privacy violations. They are currently involved in several investigations (see our articles below) for breaching user privacy. But a year ago, they too had an insider issue where they had to fire an employee for using data access privileges to stalk women online. A former Facebook employee reported that several employees had been terminated for similar behavior, including abusing access to user information and stalking executives.

Willy Leichter, vice president of marketing at Virsec, told Threatpost, that arguably, too much cyber privacy discussion is around egregious breaches or external leaks of private data rather than internal employee incidents.

“While [external leaks] are newsworthy, the broader question is how much trust we put in online services to whom we’ve voluntarily given information,” said Leichter. “Privacy regulations like the GDPR do have requirements for minimizing use of personal data to specific authorized activities, but oversight and enforcement of internal abuse rarely exists. The temptation for abuse is just too great for online services that monetize data to find creative ways to go over the line.”

Read full Snapchat blunder piques concerns article.

Further resources

White paper: White Paper: Why Web Application Firewalls Are Not Enough

Newsletter: Latest issue

Web Application Security: Product page


  1. The 2019 Verizon Data Breach Investigative Report Is Out – Shows Major Perimeter Weaknesses for Enterprises 
  2. Five Tech Giants – Facebook, Twitter, Apple, LinkedIn, Google – Face Investigations for Possibly Violating European Privacy Laws
  3. Facebook compromises users’ privacy yet again
  1. Facebook is under the spotlight yet again for another huge data breach this time affecting many other apps and sites you've logged into
  2. ICO issues maximum £500,000 fine to Facebook for failing to protect users’ personal information