The Syrian Electronic Army, known for hacking the Twitter accounts of the Associated Press, The Guardian, and other news sources, is now claiming to have hacked the website and database of messaging app Viber. Earlier today, The Hacker News reported that Viber's support subdomain had been defaced with a "Hacked by Syrian Electronic Army" banner and an apparent screenshot of a device database. "Dear All Viber Users [sic], the Israeli-based 'Viber' is spying and tracking you," reads a message at the top. "We weren't able to hack all Viber systems, but most of it is designed for spying and tracking." Since then, the page has been taken down by Viber, though a copy can be found here (proceed at your own risk.)
Viber boasts 200 million users, and it's not totally clear how much information the Syrian Electronic Army found out about them. Yesterday, the SEA said it had found "millions" of email addresses and phone numbers through messaging app Tango, and that it planned to hand them over to the Syrian government. Tango acknowledged the intrusion but downplayed the security threat, though it didn't say what precisely had been accessed.
The screenshot posted on Viber's site today shows a list of phone numbers with accompanying device IDs, IP addresses, and basic device information like operating system and Viber software version. Based on the screenshot, it's not clear that it's collecting an egregious amount of information, and its spying and tracking capabilities remain unknown. Considering that the SEA claims to be handing over data on rebels to the government, it's slightly ironic that it's now implying Viber is in cahoots with the Israeli government. So far, Viber hasn't publicly acknowledged the defacement; we've reached out for comment on the situation.
Update: Viber has responded to 9to5Mac, saying that it was indeed compromised due to an employee falling for the phishing scams often used by the Syrian Electronic Army. "It is very important to emphasize that no sensitive user data was exposed and that Viber's databases were not 'hacked,'" the statement reads in part. "Sensitive, private user information is kept in a secure system that cannot be accessed through this type of attack and is not part of our support system."