The third-party app Snapsave blamed for the leaked Snapchat images has admitted that its servers were breached, though security experts have claimed that the self-destructing messaging app is not entirely blameless in the 'Snappening' incident.
Over the weekend of 10 October, a 14GB file containing around 100,000 photos and videos sent via Snapchat was shared online across sites including 4chan and Reddit.
The attack was acknowledged by Snapsaved, a third-party app and website that Snapchat users can download in order to save photos and videos that would otherwise be deleted by the messaging app.
"I would like to inform the public that snapsaved.com was hacked," an unsigned statement posted to Snapsaved's Facebook page read. "Snapchat has not been hacked, and these images do not originate from their database.
"As soon as we discovered the breach in our systems, we immediately deleted the entire website and the database associated with it. As far as we can tell, the breach has affected 500MB of images and 0 personal information."
Blaming the breach on Snapsaved is not fully justified, according to one cyber-security expert, who claims that Snapchat needs to "step up their onus in their app protection capabilities" before making the app available to consumers.
"It's clear that the security layers offered from the app stores are not enough to protect the critical policies residing in the apps themselves and to protect the end users from data compromise," Mike Dager, CEO for security firm Arxan, told The Independent.
"While Snapchat has gone on the record to say that neither the app nor their servers have been hacked, we scrutinise that claim.
"Since Snapchat does not provide an API for developers, the developers of the third-party apps must be reverse engineering either the Snapchat app or the network communication protocol. Once the third-party apps have emulated the Snapchat client, the apps gain access to the Snapchat user's private photos.
"As a result, the risk of a data breach is spread from Snapchat to the third-party app provider. Therefore, the risk mitigation must be initiated by mobile app developers themselves by deploying apps that have in-app defence and tamper-resistance attributes."
Snapchat is yet to respond to a request for comment regarding these claims.