This week, news broke that both Snapchat and Dropbox had been hacked—or had they? After the initial panic waned, both companies came out with formal statements claiming that they hadn’t actually been hacked at all, pinning the incident on suspicious third-party products that tie into their respective services. It’s worth noting that while these services remain “secure” for the time being—a fact that’s subject to change—many third-party apps and services don’t have the same resources or the same concern for securing user data.
A third-party app is anything that plugs into software like Snapchat or Dropbox to provide additional features. In the case of Snapchat, the Google Play and iOS App Store are both overrun with apps that help users save snaps. In the case of the Snapchat hack, a third-party site called Snapsaved.com appears to be to blame for the leak, which affected as many as 200,000 Snapchat accounts. (Notably, the Snapsave mobile app does not appear responsible.)
Snapchat cautions its users against any third-party apps that require account login information, as these violate the app’s terms of use and put users at risk. Yes, that includes all of those handy Snapchat spinoff apps.
From Snapchat:
When you give your login credentials to a third-party application, you’re allowing a developer, and possibly a criminal, to access your account information and send information on your behalf.
It takes time and a lot of resources to build an open and trustworthy third-party application ecosystem. That’s why we haven’t provided a public API to developers and why we prohibit access to the private API we use to provide our service. Don’t get us wrong – we’re excited by the interest in developing for the Snapchat platform – but we’re going to take our time to get it right. Until then, that means any application that isn’t ours but claims to offer Snapchat services violates our Terms of Use and can’t be trusted.
Snapchat has always been a fun place to share Snaps with friends. The best way to keep our community safe is a combination of security countermeasures and common sense. We’ll continue to do our part by improving Snapchat’s security and calling on Apple and Google to take down third-party applications that access our API. You can help us out by avoiding the use of third-party applications.
For Dropbox, the hundreds of passwords and email addresses that were harvested also had their root in a third-party app vulnerability. In a departure from the tone of the initial panic the incident inspired, Dropbox came out with a statement that it detected the vulnerability that this data was culled from and deactivated the passwords months ago. Still, some of the username and password combinations made public appear to be vulnerable, as Reddit users demonstrated after the Pastebin file was published.
Users (understandably) wary of further intrusions into the data they store on Dropbox have a few options. First, turning on two-step authentication is a powerful, straightforward way to ward off potential hacks (here’s where you can enable it for a variety of services). As Dropbox explains:
The idea behind two-step verification is to combine “something you know” (like your password) with “something you have” (like your phone) to add an extra layer of security. Once you’ve enabled this feature, Dropbox will either text you a six-digit security code to enter after your password or you can get the code from an authenticator app like Google Authenticator, which is useful if you can’t get a cell signal. Having two steps rather than just one creates a stronger barrier against attackers.
To add another layer, a handful of services can encrypt data uploaded to Dropbox before it ever reaches the cloud. With that method, even if an account was breached, the encryption would render the contents of a Dropbox account useless. Dropbox’s own claims of encryption are questionable enough for Edward Snowden to implore Dropbox users instead switch to Spideroak, a more secure competitor.
Ultimately, turning on two-factor authentication and vetting any third-party tool is the safest bet for avoiding this flavor of indirect account breach. And if you’re concerned enough about the integrity of your data (or even your shared photos), consider looking into far more secure alternatives that aren’t easy targets like many of the big names in social apps and cloud storage for the safest bet of all.
Photo via David Goehring (CC BY 2.0)