Millions of US and Canadian users of popular photo sharing app Snapchat had their phone numbers and usernames exposed online after the data was captured by anonymous hackers. The leak comes months after Snapchat was warned of a major security hole.
The New Year may have only just started, but for Snapchat developers it has already been marked by the greatest security fail in the mobile app’s history.
An anonymous group of hackers has compiled and dumped a database containing phone number information of 4.6 million Snapchat users, along with their usernames, to a webpage simply labeled snapchatdb.info.
Although the last two digits of the leaked phone numbers have “for now” been censored out “in order to minimize spam and abuse,” the group says one should feel free to contact them and ask for the uncensored version of the database, which they agree to release “under certain circumstances.”
Moreover, the hackers suggest searching for matching Facebook and Twitter accounts to figure out the needed phone numbers on one’s own, saying that “people tend to use the same username around the web.”
They explain the massive leak by their wish to “raise awareness on the issue,” claiming that Snapchat took little or no steps to fix the exploit, which the app owners knew was there.
“The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it,” the statement on snapchatdb.info states.
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does,” the group further explains to TechCrunch.com.
The hackers claim to have published the data of “a vast majority of the Snapchat users.” However, the detailed view of the available area codes lists many (but not all) of US and some of Canadian area codes. While the real number of Snapchat users is unclear, media reports put the number at 8 million users as of June, and Google play app store lists the app in the 10,000,000 – 50,000,000 installations range.
Still, some of the app’s users have already realized the dump was not a hoax, and took to social media to report finding their usernames and numbers on the list. AOL-owned TechCrunch.com also confirmed the hack was real, saying that at least one of its editors found personal information freely available.
Perhaps even more embarrassing for Snapchat is the fact that the potential security breach was reported as early as last summer by an Australian group Gibson Security (GibsonSec). Months after the group’s initial release on Snapchat’s vulnerabilities had been ignored by the app’s developers, GibsonSec decided to publish a detailed list of exploits with examples of how someone with minimum knowledge of programming languages could abuse them.
Following GibsonSec’s December release, Snapchat came up with a statement admitting that “theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the US, they could create a database of the results and match usernames to phone numbers that way.”