An anonymous hacker or group apparently uploaded the user names and phone numbers of an estimated 4.6 million Snapchat users to the Internet for anyone to grab.
“It’s not the complete Snapchat database,” said Kevin Poulsen of Wired Magazine. “It’s just a portion of Snapchat users that are affected.”
While images shared on Snapchat, the photo-sharing social app, disappear 10 seconds after being viewed, a person’s account information does not.
Hackers posting the personal data to a website called snapchatDB included all but the last two digits of Snapchat phone numbers, inviting those who wanted the full numbers to contact the website for the uncensored database.
Poulsen said the “biggest danger” from the breach was possible stalking.
“Snapchat has a very young user base. I think the greatest risk from this is that the full list with the full phone numbers winds up being posted somewhere, and then we see users being stalked,” he said.
Experts said the security breach was made worse by the fact that users tended to have the same user name for other apps — such as Facebook and Twitter.
Gibson Security says they have been trying to get Snapchat’s notice on this issue, both publicly and privately, since August. But when Snapchat responded with what the security group deemed as an insufficient fix to the issue, it went public with its findings and methodology on Dec. 25.
Afterwards, the hackers at SnapchatDB, in a statement released to TechCrunch, said they used a “modified” version of GibsonSec’s findings to exploit the photo-sharing application.
It is not uncommon for independent security groups (also called White Hats) to publicly release computer vulnerabilities when companies fail to acknowledge the holes. Such action usually forces the company into action. What is unusual, in this case, is that the vulnerability remained unchallenged long enough for a third party to take advantage of it.
The person or group behind SnapchatDB said the “motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed.”
As of press time SnapchatDB appears to have been taken down by its Internet host, but this does not mean other groups could not have made copies of the database before it was pulled. GibsonSec has a copy of the information and has created a web application that can be used to check whether your username is one of those affected.
Snapchat has been so popular with kids that Facebook offered to buy it for $3 billion. But the company’s 20-something owners turned down the offer.
It was unclear whether the breach would affect the company’s value.
Snapchat responded to the allegations in a statement Dec. 27, saying it had “recently added additional countermeasures” and would “continue to make improvements to combat spam and abuse.”
Gibson Security, an Internet security company, said it discovered the security hole in August and warned Snapchat.
For now, Poulsen suggested that concerned Snapchat users check various websites to see whether their information has been listed.
“That’s the first step,” he said. “Put in your account name and see if you’re even in the leaked data – most users were not – and if you are then it may be time to change your phone number.”