January 1, 2014
Hackers Snatch Up 4.6M Snapchat Usernames And Phone Numbers
Enid Burns for redOrbit.com - Your Universe Online
It's too late to say, "you were warned," to Snapchat. Hackers have infiltrated the social network that allows users to send friends photos and videos that will disappear within 10 seconds of being viewed. On Christmas Eve, a group of hackers in Australia that operates under the name Gibson Security published details on a vulnerability in Snapchat, and inside of a week hackers stole the details of 4.6 million accounts and published the usernames and phone numbers online.
A website with the URL SnapchatDB.info has published the details on 4.6 million Snapchat accounts and made it available in an SQL dump or a CSV text file, The Next Web reports. Users concerned about their account details can look to see if their information is part of that 4.6 million at a site containing a checker script set up by developers Will Smidlein and Robbie Trencheny.
Snapchat has become hugely popular among teens and young adults who send photos and videos that capture scenes in the moment. The app, which is available on iOS and Android devices, has been under scrutiny at times, such as when programmers have pointed out that images and videos aren't deleted but remain stored on handsets in an inaccessible folder.
Now Snapchat has more worries about a security hole it neglected to fix after being warned about four months ago. After not getting a response from Gibson Security, the group of hackers published details on the security hole on Christmas Eve, including how to hack Snapchat using the security flaw.
In response to the Christmas gift left by Gibson Security, Snapchat posted on its blog, explaining that the security hole was not an issue. The social app said that the company works with computer security professionals and is typically grateful for the work they do.
"This week, on Christmas Eve, a security group posted documentation for our private API. This documentation included an allegation regarding a possible attack by which one could compile a database of Snapchat usernames and phone numbers," the post said.
Snapchat maintains that the Find Friends feature is optional. The feature allows users to upload their address book contacts so that Snapchat can match up friends who have Snapchat accounts. "We don't display the phone numbers of other users and we don't support the ability to look up phone numbers based on someone's username," the post said.
"Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse," the post read.
An individual or group was able to gather the usernames and phone numbers for 4.6 million Snapchat users. The information as published on the SnapchatDB website is reportedly not complete — each phone number has the last two digits obscured.
A WHOIS lookup conducted by The Next Web states that the SnapchatDB domain was created on December 31, though the registrant name is protected. The mailing address and contact number given for the account show the registrant in Panama.
"How genuine the information is in this database remains in question — it has not been authenticated yet by Snapchat. This could certainly all be an elaborate hoax taking advantage of the recent issues the ephemeral messaging service has had," The Next Web's Ken Yeung wrote.