Millions of US and Canadian users of popular photo sharing app Snapchat had their phone numbers and usernames exposed online after the data was captured by anonymous hackers. The leak comes months after Snapchat was warned of a major security hole.
The New Year may have only just started, but for Snapchat
developers it has already been marked by the greatest security
fail in the mobile app’s history.
An anonymous group of hackers has compiled and dumped a database
containing phone number information of 4.6 million Snapchat
users, along with their usernames, to a webpage simply
labeled snapchatdb.info.
Although the last two digits of the leaked phone numbers have
“for now” been censored out “in order to minimize
spam and abuse,” the group says one should feel free to
contact them and ask for the uncensored version of the database,
which they agree to release “under certain
circumstances.”
Moreover, the hackers suggest searching for matching Facebook and
Twitter accounts to figure out the needed phone numbers on one’s
own, saying that “people tend to use the same username around
the web.”
They explain the massive leak by their wish to “raise
awareness on the issue,” claiming that Snapchat took little
or no steps to fix the exploit, which the app owners knew was
there.
“The company was too reluctant at patching the exploit until
they knew it was too late and companies that we trust with our
information should be more careful when dealing with it,”
the statement on snapchatdb.info states.
“Our motivation behind the release was to raise the public
awareness around the issue, and also put public pressure on
Snapchat to get this exploit fixed. It is understandable that
tech startups have limited resources but security and privacy
should not be a secondary goal. Security matters as much as user
experience does,” the group further explains to
TechCrunch.com.
The hackers claim to have published the data of “a vast
majority of the Snapchat users.” However, the detailed view
of the available area codes lists many (but not all) of US and
some of Canadian area codes. While the real number of Snapchat
users is unclear, media reports put the number at 8 million users
as of June, and Google play app store lists the app in the
10,000,000 – 50,000,000 installations range.
Still, some of the app’s users have already realized the dump was
not a hoax, and took to social media to report finding their
usernames and numbers on the list. AOL-owned TechCrunch.com also
confirmed the hack was real, saying that at least one of its
editors found personal information freely available.
Perhaps even more embarrassing for Snapchat is the fact that the
potential security breach was reported as early as last summer by
an Australian group Gibson Security (GibsonSec). Months after the
group’s initial release on Snapchat’s vulnerabilities had been
ignored by the app’s developers, GibsonSec decided to publish a detailed list of exploits with examples of
how someone with minimum knowledge of programming languages could
abuse them.
Following GibsonSec’s December release, Snapchat came up with a
statement admitting that “theoretically,
if someone were able to upload a huge set of phone numbers, like
every number in an area code, or every possible number in the US,
they could create a database of the results and match usernames
to phone numbers that way.” However, the developers said
they have “implemented various safeguards to make it more
difficult to do,” and “recently added additional
counter-measures and continue to make improvements to combat spam
and abuse.”
As of the time of writing, that December 27 statement remains the
latest on the app’s official blog page, and Snapchat has not yet
officially commented on the breach.
It is not the first time that Snapchat users may have regretted
entrusting their private data or photos to the application. While
the app developers initially presented it as a way of sending
photos through an “erasable” medium, promising that the images
are deleted from both the app and the servers after up to 10
seconds of viewing by the recipient, a study carried out by a US firm last April said it
was not in fact designed to erase the files.
According to Utah-based Decipher Forensics, Snapchat does not
actually delete the received photos, but rather hides them from
view by changing the extension and making them unreadable. The
pictures can thus be extracted from devices and handed over to
parents, lawyers and law enforcement long after they have been
viewed.
A separate study claimed the unread photos stay on the app’s
servers for some 30 days before being deleted.
Snapchat is particularly popular with teenagers, and has been
widely reported to be used for “sexting” or exchange of
explicit images with some degree of nudity.
The app has been developed and owned by two Stanford University
students. Since its initial 2011 release, the two have made
headlines by reportedly declining a $3 billion offer from
Facebook and a $4 billion offer from Google to acquire Snapchat.