Snapchat And Dropbox Breaches Are Really Third-Party-App Breaches
What can get lost in a flurry of news about Dropbox and Snapchat getting hacked is that the companies themselves deny they were hacked at all.
They're not lying. Technically speaking, Dropbox's servers did not get breached. Snapchat's didn't either. Photos and log-in credentials apparently leaked from third-party sites or apps that piggyback on these services.
What are third-party apps? They are services that exist outside a parent program, say, Snapchat. But these services rely on the code base of the parent and add functionality to the main service.
For instance, the third-party site that leaked the Snapchat photos was called Snapsaved.com, and it did what Snapchat did not — allow you to save photos sent through the service. In a Facebook post, Snapsaved said it itself was hacked and that it deleted its website as soon as it discovered the breach.
These third-party apps are everywhere. TweetDeck was originally a third-party app based on Twitter, until Twitter bought it. If you're a Flickr user, there are a number of "home-grown applications" based on that photo-sharing service.
In a blog post, Dropbox told its users that their data were safe. It urged them "not to reuse passwords across services" and recommended they enable two-step verification.
Some question whether Snapchat's API, which is an electronic manual of sorts that lets computer systems talk to each other, is just too easy to hack. If that's the case, then the blame for this breach can in some ways be put at the foot of Snapchat itself.
There are ways software companies lock down their systems to ensure greater security, but recent experiences with some third-party apps indicate that wasn't happening.
Update on Wednesday, Oct 12 at 5:31p.m. E.T.: A Dropbox spokesperson says the stolen logins were a result of users who use the same passwords and sign-in credentials across several sites — not a breach of any specific third-party apps.
Copyright 2021 NPR. To see more, visit https://www.npr.org.