Security Experts:

Snapchat Attack May Have Exposed Data of Millions of Users

Snapchat is having a rough start to 2014.

Roughly a week after security researchers disclosed details of exploits against the popular photo messaging service, a group of hackers published the user names and associated phone numbers of 4.6 million Snapchat users.

According to a post on SnapchatDB.info, the database contains username and phone number pairs for "a vast majority" of the Snapchat users. The site has apparently been taken down by the hosting provider. However, a cached version of the site indicates that the people behind the disclosure used the technique revealed last week by Gibson Security. Following the disclosure, Gibson Security – which said it only published details of the exploit after Snapchat failed to take action – denied any involvement with the leak in a tweet Dec. 31.

"This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue," according to the SnapchatDB.info post. "The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it."

"For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse," the post continued. "Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it."

The proof-of-concept exploit Gibson Security published last week took advantage of the “find_friends” feature in the Snapchat application programming interface (API) to iterate and match the phone numbers of users to their Snapchat accounts in a short period of time. Gibson originally contacted Snapchat about the vulnerability and other issues in August.

"An obvious concern is that many people on the Internet adopt the same username on multiple services, perhaps making it easy for unauthorized parties to determine the private phone numbers of – say – Twitter or Facebook users," blogged security researcher Graham Cluley.

The popular mobile application, developed Stanford University students in 2011, reportedly rejected a $3 billion acquistion offer from Facebook last year.

Snapchat did not respond to a request for comment before publication.

view counter