Cyber Incident Victim: Snapsaved.com
Date:
Oct 2013
Location:
United States of America
Summary
A third-party Snapchat service enabling image saving was compromised due to a misconfigured server, leading to the leak of thousands of user photos and videos. The developer disputed claims of a searchable database being created from the stolen data, asserting insufficient information existed, while acknowledging manual content moderation efforts and reporting of illicit material to authorities. However, analysis of leaked files revealed organized data including hundreds of usernames alongside geographically categorized media. The incident highlighted vulnerabilities in Snapchat’s reverse-engineered API, including weak encryption practices and easily extractable keys, which facilitated unauthorized third-party clients. Snapchat maintained its servers were unaffected and attributed responsibility solely to the third-party service and its users.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Snapsaved.com incident began with the compromise of a third-party Snapchat service that allowed users to circumvent Snapchat’s ephemeral messaging features by saving images through a web interface. On October 13, 2014, SnapSaved’s developer acknowledged via Facebook that the site had been breached due to a misconfigured Apache server, leading to the theft of user data. The service, hosted by HostGator, primarily served users in Sweden, Norway, and the United States. Attackers leaked thousands of images and videos to 4Chan’s /b/ forum, prompting widespread scrutiny. SnapSaved’s spokesperson denied claims of a searchable database (“the Snappening”) being developed from the stolen data, calling the rumors a hoax and asserting the hacker lacked sufficient information to create such a tool. The developer emphasized efforts to combat illicit content, including manual review of images and reporting users to Scandinavian authorities for child pornography. SnapSaved operated using a reverse-engineered version of Snapchat’s API, which had been publicly exposed over a year earlier, enabling third-party apps to bypass Snapchat’s deletion mechanism without senders’ knowledge.
Snapchat distanced itself from the incident, stating its servers were not breached and attributing responsibility to SnapSaved and its users for violating terms of service. Technical analysis revealed vulnerabilities in Snapchat’s API, including hard-coded encryption keys and the use of AES-ECB mode—a weak encryption standard—alongside easily extractable SSL session keys. Security researchers had previously warned that third-party clients exploiting these flaws were inevitable. Updates to the initial report confirmed the breach’s scope: an individual named “Riot” claimed the leaked torrent contained 88,521 images and 9,173 videos (12.9GB total) from October 2013 to October 2014. While most files lacked identifiable usernames, 320–400 usernames were exposed via atypical file-naming conventions or folder structures. An independent verification by an Ars Technica reader identified 3,999 images organized by username, contradicting SnapSaved’s minimization of the breach’s severity. The incident underscored risks associated with third-party API misuse and inadequate security practices, though no coordinated containment or remediation efforts by SnapSaved were detailed beyond its public statements.