Feedback Friday: Industry Experts Comment on Hive Ransomware Takedown

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Snapchat Attack May Have Exposed Data of Millions of Users

Snapchat is having a rough start to 2014.

Roughly a week after security researchers disclosed details of exploits against the popular photo messaging service, a group of hackers published the user names and associated phone numbers of 4.6 million Snapchat users.

Snapchat is having a rough start to 2014.

Roughly a week after security researchers disclosed details of exploits against the popular photo messaging service, a group of hackers published the user names and associated phone numbers of 4.6 million Snapchat users.

According to a post on SnapchatDB.info, the database contains username and phone number pairs for “a vast majority” of the Snapchat users. The site has apparently been taken down by the hosting provider. However, a cached version of the site indicates that the people behind the disclosure used the technique revealed last week by Gibson Security. Following the disclosure, Gibson Security – which said it only published details of the exploit after Snapchat failed to take action – denied any involvement with the leak in a tweet Dec. 31.

“This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue,” according to the SnapchatDB.info post. “The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”

“For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse,” the post continued. “Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.”

The proof-of-concept exploit Gibson Security published last week took advantage of the “find_friends” feature in the Snapchat application programming interface (API) to iterate and match the phone numbers of users to their Snapchat accounts in a short period of time. Gibson originally contacted Snapchat about the vulnerability and other issues in August.

“An obvious concern is that many people on the Internet adopt the same username on multiple services, perhaps making it easy for unauthorized parties to determine the private phone numbers of – say – Twitter or Facebook users,” blogged security researcher Graham Cluley.

The popular mobile application, developed Stanford University students in 2011, reportedly rejected a $3 billion acquistion offer from Facebook last year.

Snapchat did not respond to a request for comment before publication.

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.