Members of anonymous online message boards claim to have accessed hundreds of thousands of private photographs shared on Snapchat, a popular photo sharing service, just weeks after a celebrity hacking scandal drew increased attention to online privacy concerns.
But the photos do not appear to have come directly from Snapchat.
Instead, the collection of photos of noncelebrities, which some claim is as big as 200,000, appear to have come from the accounts of people using Snapsaved, a smartphone tool that its creators said would allow users to store photos from their Snapchat accounts that normally disappear after 10 seconds.
At least one person on the anonymous online messaging forum 4chan claimed to have accessed Snapsaved’s storage servers to gain access to the photos, saying links to allow anyone to download the images would be posted online.
News of the photos began circulating widely after Kenny Withers, a social media strategist from Vancouver, Wash., began blogging about the message board discussions. It is not currently possible to confirm the authenticity of the claims being made on 4chan.
Snapsaved itself is a bit of a mystery. It is not affiliated with Snapchat and it is not immediately clear who created it. The web address for Snapsaved.com does not appear to be working. Earlier, it was redirecting traffic to an obscure e-commerce site.
It also does not appear that Snapsaved was ever available on the Google Play app store. To install it, users would probably have had to go directly to the Snapsaved site — something Google strongly discourages because of security concerns.
The Internet address Snapsaved.com was registered on Oct. 17, 2013, and was set to expire on Oct. 17, 2014 — next week. There was no response to an email sent to a Facebook account for Snapsaved, which was created a week after the domain name was registered. The Facebook page has not been updated since March 2014.
The registrant of an Internet address can typically be identified through what is called a “Who is” search. But the registrant of Snapsaved.com used a service meant to conceal the identity of an address’s owner.
Questions arose as to which application was the origin of the alleged theft. In a footnote at the bottom of Snapsaved.com, the creator of the site listed it as SnapSave Online Inc. 2013, which is similar to another app with an almost identical name: Snapsave.
Georgie Casey, the creator of Snapsave, said that no photos had come from his service, and directed queries to Snapsaved.
“My app just saves Snaps to your Android phone, nothing is ever sent to my server,” Mr. Casey said.
A week before the Snapsaved.com website was registered, a number of news sites wrote about Mr. Casey’s app and another, similar app.
Snapchat said on Friday that, if the cache of photos was real, they did not come from Snapchat.
“We can confirm that Snapchat’s servers were never breached and were not the source of these leaks,” a Snapchat spokeswoman said in a statement. “Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security.”
“We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed,” she added.
Though Snapchat has said its servers have not been compromised, some security experts still say the messaging start-up still bears some responsibility, at least to better educate its users.
“For mobile applications like Snapchat, consumers are not aware of the risks with using these associated third-party apps, and do not have security in mind,” said Chris Wysopal, chief technical officer at Veracode, an application security company. “Without an independent security review, there is not much Snapchat can do here except try to ban vulnerable or malicious third party apps that put their users at risk.”
Others security researchers see the incident as a cautionary tale for non-Internet-savvy users who may be too willing to hand over their private information.
“You’re still sending a photo to another end user,” said Patrick Wardle, director of research at Synack, an application security firm. “Once you send off that photo, they can do whatever they want with it.”
Snapchat has had issues with its security. In January, the start-up received intense criticism after a third-party application was able to expose the names and phone numbers of nearly five million Snapchat users. Snapchat had been warned by security researchers of a vulnerability in its security. At the time, the company dismissed the concerns.
The allegations come not long after a group of hackers stole private photos from a number of celebrity accounts on Apple, and used online web forums like 4chan and Reddit to distribute the stolen content. Apple faced intense criticism in the wake of the theft. The actress Jennifer Lawrence, one of the celebrities whose photos were stolen, called the acts “a sex crime.”
News of the stolen Snapchat photos spread over the past week, as an unidentified 4chan member claimed to have obtained the photos, saying links to access them would be released late Thursday evening.
Mr. Casey of Snapsave said he had been wary of the Snapsaved site when he first saw it.
“I came across it first around April 2014 and it had something like 100 Facebook likes,” Mr. Casey said. “I assumed no users would be stupid enough to enter their log-ins on a random website, but your average Snapchat user isn’t very tech savvy.”