Update 1/3/14: Snapchat has now responded to the attack on their blog. They confirmed that only usernames and partially redacted phone numbers were leaked (so your nudie Snaps are safe), and said they would release an update to allow users to opt out of the "Find Friends" service. "We’re also improving rate limiting and other restrictions to address future attempts to abuse our service," the company wrote. Meanwhile, SnapchatDB now appears to be back online after the account was suspended yesterday.If you’re a US Snapchat user, your username and phone number may now be available on the internet for anyone to find. Happy New Year, guys!In the latest twist of a months-long saga around an alleged vulnerability in Snapchat’s security, unknown hackers have released a database that they claim includes 4.6 million Snapchat account usernames and mobile numbers in a dump at SnapchatDB.info. I initially got 503 error messages when trying to access the site, possibly because of high levels of traffic, but have since got through.Once on the page, there are links to download the database. The site explains:You are downloading 4.6 million users' phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.Snapchat hasn’t confirmed if the information in the database is legit, but writers over at TechCrunch have said that it’s real, and that at least one of their editorial team’s details are included in the list. Commenters on Reddit have also reported that their accurate details are in the database. In total, SnapchatDB claims to include the username and phone number combinations of 4,609,621 accounts across the 76 US area codes listed here.At least for now, the last two numbers of each user’s phone number are redacted, but it might not stay that way. The hackers wrote that they’d taken this measure in order to limit spam and abuse, but added, “Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.”I’ve reached out to an email address listed on the site and asked what sort of circumstances these might be—I’ll update if I hear back.On the site, SnapchatDB explained that the release was intended as a way of raising awareness about a security flaw uncovered by Australian researchers earlier this year. “This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue,” they wrote, which seems to suggest the weakness may now have been fixed. “The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”The story started back in August, when "computer security group" Gibson Security first published information on vulnerabilities they’d uncovered after reverse-engineering Snapchat. In a statement at the time, they wrote that, “Of the vulnerabilities released, an exploit was found in the Snapchat “Find Friends” function, allowing someone to easily create a database of the usernames and phone numbers of users of the Snapchat application, in a small timeframe, using phone numbers automatically provided to the app.”But by December, they still hadn’t had a response from Snapchat, and so turned up the heat by releasing what they said was full information on the weakness they’d found and how it could be exploited on Christmas Day.Snapchat did respond to this in a blog post on their site, but were vague about “various safeguards” they’d put in place. They explained, “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.” And now it looks like someone’s done something just like that.Gibson Security tweeted that they had nothing to do with the hack, but that it was just “a matter of time.” I emailed to ask what they thought of the database release, and they responded, “We're not terribly happy, but we feel this incident was somewhat inevitable. We don't think it was the right thing to do, but it's certainly going to bring a lot more press to the way companies respond to exploits and especially how Snapchat has handled the situation.”
Advertisement
Advertisement
Advertisement
Their advice for Snapchat users who have been affected (you can check if your details are in the dump at this site, built by data scientist Vik Paruchuri) is to delete your account and, if necessary, change your phone number.“Snapchat has a page where you can delete your account, I can't verify if this is currently working as it has not worked in the past and I don't have an account to log in with at the moment,” they wrote. “If someone's phone number appeared in the leak, contact your phone provider about changing your phone number if you deem it necessary. Otherwise the best thing you can do is increase the security/privacy levels of your social networking accounts and assess whether you really need to be a member of these "secure" social networks.”The hack is also a reminder of the perils of using the same username across the web. “We viewed a handful of accounts in the SnapchatDB release, and they are easily tied to Instagram/other social media accounts, and/or contain the real name of the owner of the account,” Gibson Security wrote in response to my question on why users should be most concerned. “This potentially allows you to build a profile very quickly on those people.”The hackers might claim to have noble intentions, but Snapchat users whose details made the list are probably not too pleased at having their “awareness raised” in quite this way.@VickiTurkWe know nothing about SnapchatDB, but it was a matter of time til something like that happened.Also the exploit works still with minor fixes
— Gibson Security (@gibsonsec) January 1, 2014