Snapchat are learning firsthand what happens when you get cocky and refuse to be ‘bought out.’ Earlier this week 4.6 million users accounts were hacked, leaking their names and phone numbers on a database SnapchatDB!.
The group responsible has spoken out about the hack explaining, “The Company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
The leaked information is limited to on US user in 76 area codes. The group also omitted the last two digits of user’s phone numbers to present spamming. However, SnapchatDB! Is accepting requests for the uncensored list and may release it under certain circumstances.
In recent months Snapchat’s founder Evan Spiegel rejected Facebook’s offer of $3 billion dollars for the company and Google’s counter offer of $4 Billion. He must be regretting that decision now seeing as this data breach may end up costing him and his investors more than $4 billion in damages.
To top things off Snapchat is taking a very lackadaisical approach to the breach not to mention were a little fresh when they commented on the issue.
“Finding Friends with Phone Numbers”
Occasionally computer security professionals and other helpful people reach out to us about potential bugs and vulnerabilities in Snapchat. We are grateful for the assistance of professionals who practice responsible disclosure and we’ve generally worked well with those who have contacted us.
This week, on Christmas Eve, a security group posted documentation for our private API. This documentation included an allegation regarding a possible attack by which one could compile a database of Snapchat usernames and phone numbers.
Our Find Friends feature allows users to upload their address book contacts to Snapchat so that we can display the accounts of Snapchatters who match the phone numbers found in the address book. Adding a phone number to your Snapchat account is optional, but it’s helpful for allowing your friends to find you. We don’t display the phone numbers to other users and we don’t support the ability to look up phone numbers based on someone’s username.
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.
Users have yet to boycott the app, but only time will tell. It doesn’t look like this problem will be self-destructing in 10 seconds or less. To find out of your number is leaked head here: http://lookup.gibsonsec.org/