Snapchat is not off to a good start in 2014 as last night hackers revealed they had obtained 4.6 million user names and phone numbers from the popular photo sharing service.
Last week it was revealed by Gibson Security that a security hole in Snapchat could potentially allow someone to associate the username and phone number of users to strip away some of the privacy the service offers. The company addressed the issue on its blog stating that the hack was possible, but it would require someone to “upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.” The company went on to state that it had added safeguards over the past year, but they never directly stated that anything had been done about this particular vulnerability despite being warned by Gibson of the threat privately before it was disclosed publicly.
To show that this exploit was indeed possible, and that the hole was not patched, an unknown individual or team of hackers last night released a database of 4.6 million users and their associated phone numbers. The information was posted at snapchatdb.info, but the hosting account has now been suspended.
If you would like to know if you were amongst the people revealed in the hack, a checker has been set up where you can enter your username and lookup to see if your information was revealed.
The Verge did receive a comment from the person or persons responsible for the hack stating, “Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. Security matters as much as user experience does.” The person providing the reply stated that once the large scale scraping of information began, Snapchat did put up a few hurdles to stop them, but they were minor at best and easily overcome.
The database, despite no longer being online, is being given freely to anyone who asks, which the spokesperson said has so far consisted of researchers, professors at universities, lawyers and private investigators, but they have not heard from Snapchat itself. “Snapchat hasn’t made any efforts to contact with us but seeing how they disregarded [Gibson Security’s] communication attempts, and how they reacted after they noticed the scraping was going on, I don’t think they care enough.”
Snapchat has yet to make any public statements regarding the leaked database.