Cyber Incident Victim: Snap Inc.
Date:
Feb 2016
Location:
United States of America
Summary
A phishing attack targeting a Snapchat payroll department employee resulted in the unauthorized disclosure of current and former employees' payroll information. The attacker impersonated the CEO via email, tricking the recipient into forwarding sensitive data externally. The company confirmed no internal systems were breached and user data remained unaffected, but employee identities were compromised. Within hours, the incident was reported to law enforcement, affected individuals were identified, and they were offered identity-theft protection services. This attack exemplified a growing trend of "whaling" tactics, where fraudsters use social engineering and publicly available professional details to target high-value personnel with access to financial or confidential data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 26, 2016, a Snapchat payroll department employee received a spear-phishing email impersonating CEO Evan Spiegel, though it originated from an external email address. The message fraudulently requested employee payroll information, which the targeted employee forwarded under the belief it was a legitimate executive request. Snapchat confirmed the incident did not involve a breach of company servers, and user data remained unaffected. Within four hours of discovery, the company determined the phishing attack was isolated, reported it to the FBI, and initiated an internal review to identify impacted individuals. The compromised data included personally identifiable information (PII) of current and former employees, though specific quantities or data types beyond payroll details were not disclosed. Snapchat contacted all affected individuals and offered two years of complimentary identity-theft insurance and monitoring services. The company publicly acknowledged the incident through a blog post, apologizing for the identity compromises and emphasizing the targeted nature of the attack.
The incident exemplified a "whaling" attack, a subtype of phishing targeting high-value personnel with access to sensitive data or financial systems. Attackers leveraged social engineering tactics, exploiting the perceived authority of the CEO’s forged identity to bypass employee vigilance. This method aligned with a broader trend of Nigerian-linked financial fraud campaigns using spoofed executive communications to manipulate employees into initiating unauthorized wire transfers or data disclosures. While the article noted such leaks could often be prevented by email filtering or data loss prevention (DLP) tools designed to flag external transfers of sensitive data like Social Security numbers, Snapchat’s systems did not intercept the outgoing payroll information. The attack underscored operational vulnerabilities to socially engineered threats despite intact technical defenses, resulting in reputational impact and direct financial costs for identity protection services. No subsequent legal penalties or additional attacker motives beyond data acquisition were documented in the provided source material.