Snapchat Inc. has fallen victim to a phishing scam.
A payroll department employee at the Venice company emailed sensitive personal information about 700 current and former workers to someone pretending to be Chief Executive Evan Spiegel on Friday, a spokeswoman said.
The impostor received employees’ W-2 tax form data, including name, Social Security number, wages, stock-option gains and benefits. Fifteen minutes after replying, the employee realized the original request, which appeared as if it had been sent from Spiegel’s email address, wasn’t legitimate. The employee then sent a followup email to Spiegel, who didn’t recognize the original note.
The FBI is investigating the incident. Current employees were quickly notified and an email to former employees was sent Sunday night. Everyone affected is being offered free credit monitoring and identity theft insurance.
“It did not affect our users or our service whatsoever,” the company said in a statement. “It impacted our employees and we are obviously very sorry that it happened. We are doing everything we can to work with our team now and prevent it in the future.”
Phishing and other social engineering tactics are the top reason behind corporate data breaches, surveys have shown. No matter how many firewalls and other defenses companies mount, hackers have continued to find an easy way in by tricking workers into clicking malicious links and releasing data in response to realistic messages.
Some organizations have installed software to add extra security to emails and to prevent certain files from leaving internal networks. Many others have stepped up security training for employees, going as far as running “phishing drills” to teach employees to avoid the “bait.”
Ritti said Snapchat planned to do more internal training. She declined to release a copy of Friday’s phishing email, citing the ongoing law enforcement investigation.
Cybersecurity is a key issue for Snapchat’s brand. More than 100 million people use the entertainment app each day, sometimes to send self-destructing photos and videos with sensitive content.
The company has had problems before. A vulnerability exploited by hackers in 2013 led to names and phone numbers of millions of users being compromised. Since then, the company has touted several measures to upgrade security.