Snapchat confirmed that some third-party apps that connect to its service were compromised late last week, meaning some user photos that were initially shared on the service — and therefore presumed to be deleted — may surface online.
Snapchat claims it had nothing to do with the security breach, in which The Daily Beast reports that 90,000 photos were leaked, most of which were “explicit in nature.”
The hackers instead attacked third-party applications that connect to Snapchat, according to a Snapchat spokesperson. They do so through what is known as an API, or application programming interface. Snapchat users can use these third-party applications like Snapsaved.com or SnapSave (two separate companies) to automatically save photos before they’re deleted. In these cases, users are actually handing over their Snapchat username and password, a move that makes their account less secure.
Snapsaved.com confirmed over the weekend and it was indeed hacked, claiming Snapchat was not at fault. In a Facebook post, Snapsaved wrote that only 500 MB of data — the equivalent of roughly 500 to 1,000 iPhone photos — was stolen from its servers.
While the leaked photos were the result of Snapsaved being hacked, that’s because Snapsaved was able to find a way to post into Snapchat by reverse-engineering its API, meaning Snapchat’s API was effectively hacked. Unlike Twitter and other services that encourage developer interaction, Snapchat keeps its programming interfaces private, meaning those using them are doing so without permission, uncovering the programming hooks by reverse engineering or other means. Snapchat has an API so that its own app, the Snapchat app, can communicate with company servers.
Hackers have been able to download the app, and reverse engineer the API before posting the process online, these sources explain. That’s what allows third party services like Snapsave and others to operate in conjunction with Snapchat.
The Snappening, as this leak is being called, raises a major question for Snapchat: Why doesn’t it do more to protect its API?
Well, it’s trying. Snapchat doesn’t allow these third party-apps use its API, and reports any apps that it comes across to the App Store or Google Play store, according to a spokesperson. “We have had dozens removed to date,” this spokesperson continued.
Snapchat also prohibits people from using or developing third-party apps in its terms of service, but they still exist. There are nearly a dozen apps in the App Store featuring some derivative of the word “snapsave,” and a number of others allow users to upload photos to Snapchat from places besides the user’s camera roll. Regular Snapchat app updates also add changes to the API which make it harder to replicate.
This weekend’s breach isn’t the first time Snapchat has dealt with user privacy issues. Earlier this year, hackers stole millions of Snapchat usernames and phone numbers.
Update: Includes more details on Snapchat’s API and the company’s efforts to protect it.
Update: Snapsaved responded to our interview request, but asked for payment in exchange for information. As a policy, Re/code does not pay for interviews.
This article originally appeared on Recode.net.