A Look Behind the Snapchat Photo Leak Claims

Snapchat, a messaging service that is particularly popular among teenagers, has faced criticism regarding its promises of privacy.Credit Lionel Bonaventure/Agence France-Presse — Getty Images

Snapchat, a fast-growing Internet messaging service, promises its users that the things they share with each other will disappear within 10 seconds. But three men claim they wanted to prove that wasn’t quite true, “just for the fun of it.”

So about a year ago they created, a web tool that when connected to a Snapchat account would save a user’s photos and videos in an online storage locker.

Then, last week, they said their experiment went haywire when their servers were breached. A handful of people on the online message board 4chan claimed to have access to a huge stash of private photos, including potential child pornography, stolen from

“Of course we’re very sorry,” one of the men said in an interview. “This whole thing was blown up beyond what we expected. We haven’t profited from this, and we don’t want to be famous.”

The men, who spoke English with Northern European accents, would not disclose their names, ages or location, saying only that they were somewhere outside the United States. The New York Times contacted them last Friday through Snapsaved’s Facebook page.

They agreed to talk over an Internet phone connection but went to considerable effort to conceal their identities: They used a random name generation program to create their online handle, “Schmidt Gizi,” and claimed to be using so-called proxy computer servers to hide their location. Trucks could be heard in the background during the conversation, indicating that they were most likely outside.

They have taken Snapsaved offline.

Just how links to the photos from Snapsaved surfaced on message boards is still a mystery and the men said they did not know who was responsible.

The size of the collection of stolen photos is also hard to pin down. Posters on 4chan claim they stole around 200,000 images. But the men who say they created Snapsaved said that the stolen collection had more like 40,000 and that hackers had inflated the total with pictures from pornography sites.

Indeed, it is even impossible to say for certain if the links to images making the rounds on message boards are really from Snapchat, though the men who say they created Snapsaved said they had seen the stash of photos and believe they were taken from their own servers.

The incident has raised new questions regarding Snapchat, which is particularly popular among teenagers. Security researchers say that while any dedicated hacker with enough time and resources can find a way to tap into Snapchat, the company could make it harder for third-party services like Snapsaved.

“But with enough motivation, it doesn’t matter, it’ll still be reverse-engineered,” said Adam Caudill, an independent security researcher and outspoken Snapchat critic. “The issue with them is that their users expect more privacy than they can provide, and the nature of the service has made it more of a target than most.”

Snapchat has faced past criticism regarding its promises of privacy. Last year, security experts publicly revealed a flaw in the company’s technology, which Snapchat quickly dismissed. Days later, the service was hacked to expose the handles and phone numbers of thousands of Snapchat users.

Many take issue with Snapchat’s privacy claims. The Electronic Privacy Information Center has asked the Federal Trade Commission to look into Snapchat’s data security practices. In May, Snapchat settled with the F.T.C. and agreed to further improve its privacy features over time.

The three men contacted through the Snapsaved Facebook page provided The Times with a list of Snapchat user names collected from to prove they were affiliated with A number of those user names matched the names of people who commented on’s Facebook page and indicated on that page that they had signed up for the service. A random sampling of about 40 names on the list also matches the names of Snapchat users.

They said they built the site in October 2013 after they were hired by someone they met on, an online message board where users trade tips and swindles to make money off search engines using practices that are typically rejected by companies like Google.

This person, whom the men would not identify but said was based in Hong Kong, owned the domain listing or Internet address. The men tried to contact this man after the hack, but he did not respond to them.

Snapsaved acted as a sort of online middleman between Snapchat and individual users. After a person entered a Snapchat handle and password, any photos or images sent to friends were saved to Snapsaved’s server. Over the past year, the men said they had collected about 13 gigabytes of photos and data from more than 260,000 users.

That means that even if a Snapchat user did not use, that person’s photos may still be at risk if they were sent to someone who had gained access to the site.

The men were alerted that something was wrong only after the first news reports began to circulate last week. They claimed two different people hacked into the server, and were able to steal 415 megabytes of data. The stolen content only includes photos and videos, these men said, and not user names, phone numbers, passwords or other account information.

After realizing their server had been breached, the men said they deleted all of the photos and took down the website.

The men said they decided to talk because they wanted to make it clear that it was their site that was hacked — not Snapchat. And they also wanted to make clear that they did not intend to collect child pornography.

But six months ago, that is what happened. The men said they found images of child pornography uploaded to the server. They said they were able to trace the Internet addresses of the users sharing those photos to Sweden and Norway and sent that material to child protective services in those countries.

Snapchat has said that what Snapsaved did is an unauthorized use of its service, and condemns the practice. On Tuesday, Snapchat posted an update to its blog, warning users not to obtain access to third-party services that have tied into its service without permission.

“When you give your login credentials to a third-party application, you’re allowing a developer, and possibly a criminal, to access your account information and send information on your behalf,” the company said in its blog post.

Snapchat says it is not averse to working with partners and hopes to do more of that, but it does not invite them to reverse-engineer its service in order to find and exploit its flaws.

For now, the men responsible for have not gone to the authorities to talk about the incident. They said they were concerned for their safety, and worried they would be prosecuted for storing or inadvertently distributing the photos.

And yet, since The Times interviewed them over the weekend, they have shown some signs of bravado, even asking to be paid in Bitcoin — the online currency — in exchange for an interview, according to Motherboard, Vice’s technology site. The Times did not pay for its interview.

“Well … my time is finite, and the amount of interviewers is very high, we have made a public statement, explaining our side of the story,” one of the men said in a Facebook message on Tuesday.

“If you wish further elaboration on the topic, we can give you that, but we are very busy at the moment.”