4.6 million Snapchat photo app usernames, phone numbers leaked

1 Jan, 2014 21:06 / Updated 11 years ago

Millions of US and Canadian users of popular photo sharing app Snapchat had their phone numbers and usernames exposed online after the data was captured by anonymous hackers. The leak comes months after Snapchat was warned of a major security hole.

The New Year may have only just started, but for Snapchat developers it has already been marked by the greatest security fail in the mobile app’s history.

An anonymous group of hackers has compiled and dumped a database containing phone number information of 4.6 million Snapchat users, along with their usernames, to a webpage simply labeled snapchatdb.info.

Although the last two digits of the leaked phone numbers have “for now” been censored out “in order to minimize spam and abuse,” the group says one should feel free to contact them and ask for the uncensored version of the database, which they agree to release “under certain circumstances.”

Moreover, the hackers suggest searching for matching Facebook and Twitter accounts to figure out the needed phone numbers on one’s own, saying that “people tend to use the same username around the web.”

They explain the massive leak by their wish to “raise awareness on the issue,” claiming that Snapchat took little or no steps to fix the exploit, which the app owners knew was there.

“The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it,” the statement on snapchatdb.info states.

“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does,” the group further explains to TechCrunch.com.

The hackers claim to have published the data of “a vast majority of the Snapchat users.” However, the detailed view of the available area codes lists many (but not all) of US and some of Canadian area codes. While the real number of Snapchat users is unclear, media reports put the number at 8 million users as of June, and Google play app store lists the app in the 10,000,000 – 50,000,000 installations range.

Still, some of the app’s users have already realized the dump was not a hoax, and took to social media to report finding their usernames and numbers on the list. AOL-owned TechCrunch.com also confirmed the hack was real, saying that at least one of its editors found personal information freely available.

Perhaps even more embarrassing for Snapchat is the fact that the potential security breach was reported as early as last summer by an Australian group Gibson Security (GibsonSec). Months after the group’s initial release on Snapchat’s vulnerabilities had been ignored by the app’s developers, GibsonSec decided to publish a detailed list of exploits with examples of how someone with minimum knowledge of programming languages could abuse them.

Following GibsonSec’s December release, Snapchat came up with a statement admitting that “theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the US, they could create a database of the results and match usernames to phone numbers that way.” However, the developers said they have “implemented various safeguards to make it more difficult to do,” and “recently added additional counter-measures and continue to make improvements to combat spam and abuse.”

As of the time of writing, that December 27 statement remains the latest on the app’s official blog page, and Snapchat has not yet officially commented on the breach.

It is not the first time that Snapchat users may have regretted entrusting their private data or photos to the application. While the app developers initially presented it as a way of sending photos through an “erasable” medium, promising that the images are deleted from both the app and the servers after up to 10 seconds of viewing by the recipient, a study carried out by a US firm last April said it was not in fact designed to erase the files.

According to Utah-based Decipher Forensics, Snapchat does not actually delete the received photos, but rather hides them from view by changing the extension and making them unreadable. The pictures can thus be extracted from devices and handed over to parents, lawyers and law enforcement long after they have been viewed.

A separate study claimed the unread photos stay on the app’s servers for some 30 days before being deleted.

Snapchat is particularly popular with teenagers, and has been widely reported to be used for “sexting” or exchange of explicit images with some degree of nudity.

The app has been developed and owned by two Stanford University students. Since its initial 2011 release, the two have made headlines by reportedly declining a $3 billion offer from Facebook and a $4 billion offer from Google to acquire Snapchat.