Snapchat has blabbed its staff payroll information to a criminal after someone in human resources fell prey to a phishing email.
The firm told employees past and present in a statement that it is "impossibly sorry" for the error. It says users who have never worked for the company have not been affected.
The company blog says "... It's with real remorse and embarrassment that one of our employees fell for a phishing scam and revealed some payroll information about our employees," as you can read here.
"The good news is that our servers were not breached, and our users' data was totally unaffected by this.
"The bad news is that a number of our employees have now had their identity compromised and for that we're just impossibly sorry."
The attack Friday targeted the sext and text company's payroll department with a lone phishing email impersonating chief executive officer Evan Spiegel in a request for pay data.
A "swift and aggressive" response four hours after the attack confirmed the scope of the breach and reported the crime to the FBI.
Snapchat has contacted those affected, offering two years of free identity-theft insurance and monitoring.
"When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong." It is "redoubling" its security and privacy efforts.
Phishing is the preferred attack vector for many highly advanced and simple hacking attacks because humans are the softest link in most security chains.
Anti-phishing training campaigns are now well-oiled machines that are used by some of the world's biggest technology companies. Many anti-phishing toolkits are free.
Social networks are alive to their status as phishing targets. Former Twitter security man Dan Tentler has described the avian network's internal phishing training initiative in which infosec bods regularly phished their own employees, making the lures more difficult to spot as staff became more savvy. ®