Snapchat staff abused data access to spy on users, former employees claim

189 million people use Snapchat to share ephemeral photos and videos, but their personal information might not be as private as they assume. According to a report from Motherboard published Thursday, multiple Snap employees abused their access to internal tools to spy on individuals using their service.

One such tool is SnapLion, a service originally built to gather information from users in response to law enforcement officers. ("LEO" is the name of the cartoon character Leo the Lion and an acronym for "law enforcement officer," hence the name.) However, according to Motherboard's sources, multiple employees improperly accessed the tool, which had the ability to look up user data such as saved Snaps, location information, phone numbers and email addresses.

"One of the former employees said that data access abuse occurred 'a few times' at Snap. That source and another former employee specified the abuse was carried out by multiple individuals. A Snapchat email obtained by Motherboard also shows employees broadly discussing the issue of insider threats and access to data, and how they need to be combatted."

The publication did not describe what particular kind of alleged abuse occurred. Nor did the outlet provide a specific timeframe for the alleged abuse beyond "several years ago." A former Snap employee told Motherboard that initially the social media giant did not have a satisfactory level of logging to track what data employees access, but the company has implemented better monitoring over time.

"Snap's "Spam and Abuse" team has access, according to one of the former employees, and a current employee suggested the tool is used to combat bullying or harassment on the platform by other users. An internal Snap email obtained by Motherboard says a department called "Customer Ops" has access to SnapLion. Security staff also have access, according to the current employee."

One former employee told the publication that SnapLion is used for "other user administration," such as resetting passwords of hacked accounts. "Protecting privacy is paramount at Snap," a Snap spokesperson told Motherboard. "We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination."

Previously employees from Facebook and Uber were accused of abusing their privileged access to user data to stalk individuals, including exes, politicians and celebrities.