Snapchat's been in lockdown mode ever since news broke Wednesday of a hack that exposed millions of user accounts and phone numbers.
This is unusual for a tech company that's attracted glowing trend pieces from the tech media, and grabbed the limelight when it rebuffed Mark Zuckerberg's offer of a $3 billion buyout. We've heard barely anything from Snapchat on the incident — and that's a huge problem.
The latest saga began on Christmas, when researchers at the Australia-based Gibson Security publicly reported a vulnerability in Snapchat that potentially lets attackers use the Snapchat API to determine the phone numbers tied to usernames. But Snapchat did not reply directly to Gibson Security, and waited for two days before writing a blog post alluding to the notice. It didn't say that the exploit had been fixed — just that it had thrown up some roadblocks.
Now, one hack and almost a week later, that Dec. 27 post is still the most recent one on Snapchat's Tumblr. The company hasn't tweeted anything acknowledging the incident. More than 24 hours after the hack the fix failed to prevent, Snapchat still hasn't responded to my request for a comment. Nor has it offered a substantive reply to any other reporter; Wednesday night, CEO Evan Spiegel simply left a cryptic message on Twitter:
— Evan Spiegel (@evanspiegel) January 2, 2014
Snapchat's radio silence is worrisome. While the data breach wasn't especially serious — we're not talking about Social Security numbers or credit-card information — its failure to admit explicitly that an intrusion took place, or to communicate to users quickly after the attack, adds to the impression of Snapchat as a fratty, insensitive and bro-infested company that couldn't care less about your privacy and security. This was the it-company of 2013?
That Snapchat's first instinct is to say they've contacted law enforcement is also telling. It suggests what they think is most important is catching the culprits. But the damage is already done; punishing the hackers isn't going to magically obscure again the millions of phone numbers and usernames that got exposed. Arguably more important is making sure that the next patch holds — and saying so to the rest of us.
It's a pretty low bar that Snapchat has to clear. It should probably apologize, eventually. But in the opening days of a crisis, at least just tell us what happened and how you're fixing it.