Illinois Man Charged in Large-Scale Snapchat Hacking Scheme Targeting Hundreds of Women
U.S. prosecutors have charged 26-year-old Kyle Svara of Illinois with orchestrating a phishing operation that compromised nearly 600 Snapchat accounts between May 2020 and February 2021. Svara allegedly used social engineering tactics to obtain victims' emails, phone numbers, and usernames, then impersonated Snapchat representatives to trick targets into sharing access codes. Of the 4,500 individuals contacted, approximately 570 had their credentials stolen, with Svara accessing at least 59 accounts without authorization to download private images.
After gaining access, Svara advertised his hacking services on platforms like Reddit, offering to breach accounts for clients or trade stolen content. Court documents reveal he directed potential collaborators to encrypted messaging app Kik for further communication. One of his clients, former Northeastern University track and field coach Steve Waithe, hired Svara to hack the accounts of Northeastern students and athletes. Waithe was sentenced in March 2024 to five years in prison for sextortion, cyberstalking, and cyber fraud after targeting 128 women.
In addition to paid hacking jobs, Svara independently targeted students at Colby College in Maine and women in Plainfield, Illinois. He now faces multiple federal charges, including aggravated identity theft, wire fraud, computer fraud, and making false statements related to child pornography. If convicted, he could face a mandatory minimum two-year sentence for identity theft, with potential penalties of up to 20 years for wire fraud and additional prison time for other charges. Svara is scheduled to appear in federal court in Boston on February 4th. Federal investigators continue to seek information from potential victims.
Snap Inc. cybersecurity rating report: https://www.rankiteo.com/company/snap-inc-co
"id": "SNA1767973005",
"linkid": "snap-inc-co",
"type": "Breach",
"date": "2/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '570+ victims (primarily women)',
'industry': 'Technology, Social Media',
'location': 'United States',
'name': 'Snapchat (users)',
'type': 'Social Media Platform (users)'},
{'customers_affected': "Students (Women's Track and "
'Field or Soccer teams)',
'industry': 'Education',
'location': 'Boston, Massachusetts, United States',
'name': 'Northeastern University',
'type': 'Educational Institution'},
{'customers_affected': 'Students',
'industry': 'Education',
'location': 'Maine, United States',
'name': 'Colby College',
'type': 'Educational Institution'}],
'attack_vector': 'Phishing, Impersonation, Social Engineering',
'data_breach': {'data_exfiltration': 'Yes (stolen content sold or traded '
'online)',
'file_types_exposed': 'Images (private photos)',
'number_of_records_exposed': '570+ accounts, 59+ accounts '
'with downloaded content',
'personally_identifiable_information': 'Emails, phone '
'numbers, Snapchat '
'usernames',
'sensitivity_of_data': 'High (private, compromising images)',
'type_of_data_compromised': 'Private photos, personally '
'identifiable information '
'(emails, phone numbers, Snapchat '
'usernames)'},
'description': 'U.S. prosecutors charged Kyle Svara with orchestrating a '
'phishing operation to hack the Snapchat accounts of nearly '
'600 women, steal private photos, and sell them online. Svara '
"used social engineering tactics to obtain victims' "
'credentials and impersonated Snap representatives to gain '
'access to accounts.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Snapchat (impersonation of '
'representatives)',
'data_compromised': 'Private photos, personal information (emails, '
'phone numbers, Snapchat usernames)',
'identity_theft_risk': "High (victims' personal information and "
'private content exposed)',
'legal_liabilities': 'Aggravated identity theft, wire fraud, '
'computer fraud, false statements related to '
'child pornography',
'systems_affected': 'Snapchat accounts'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (stolen content '
'advertised on Reddit, '
'Kik, and other platforms)',
'entry_point': 'Phishing, social engineering '
'(impersonation of Snap '
'representatives)',
'high_value_targets': 'Women (students, athletes, '
'general public)',
'reconnaissance_period': 'May 2020 - February 2021'},
'investigation_status': 'Ongoing (FBI seeking additional information from '
'potential victims)',
'lessons_learned': 'Need for stronger authentication measures (e.g., '
'multi-factor authentication), awareness of social '
'engineering tactics, and vigilance against impersonation '
'attacks.',
'motivation': 'Financial gain, Sextortion, Cyberstalking, Personal '
'exploitation',
'post_incident_analysis': {'corrective_actions': 'Strengthen authentication '
'protocols, enhance user '
'education on phishing, '
'improve monitoring for '
'suspicious activity, and '
'collaborate with law '
'enforcement to track and '
'prosecute threat actors.',
'root_causes': 'Lack of multi-factor '
'authentication, human error '
'(victims sharing access codes), '
'impersonation of trusted entities '
'(Snap representatives), weak '
'security awareness among users.'},
'recommendations': ['Implement multi-factor authentication for all accounts.',
'Educate users on recognizing phishing and social '
'engineering attempts.',
'Monitor for unauthorized access or suspicious activity '
'on accounts.',
'Report incidents to law enforcement promptly.',
'Use encrypted messaging for sensitive communications.'],
'references': [{'source': 'U.S. Department of Justice'},
{'source': 'Court documents'}],
'regulatory_compliance': {'legal_actions': 'Federal charges (aggravated '
'identity theft, wire fraud, '
'computer fraud, false statements '
'related to child pornography)'},
'response': {'law_enforcement_notified': 'FBI'},
'threat_actor': 'Kyle Svara (individual), Steve Waithe (co-conspirator)',
'title': 'Phishing Operation Targeting Snapchat Accounts to Steal Private '
'Photos',
'type': 'Phishing, Social Engineering, Identity Theft, Data Theft',
'vulnerability_exploited': 'Lack of multi-factor authentication, Human error '
'(victims sharing access codes)'}