Los Angeles Times
The user names and phone numbers of more than 4.6 million Snapchat users were posted online this week by an anonymous hacker, just days after the Los Angeles startup was warned that such a data compromise could happen.
On a website called SnapchatDB, which may be run by an individual or a group, files containing Snapchat users’ information was posted Wednesday. The website has since been taken down, but while it was live, users could download the data in SQL or CSV format.
The data contained the user names and associated phone numbers of many users, all located within North America but primarily in the U.S. The final two digits of each phone number were also censored in order to offer the affected users some protection.
The hacker or hackers said the data was published to prompt Snapchat to fix a security hole that it was aware of and had been warned could be exploited.
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” SnapchatDB told tech website The Verge. “Security matters as much as user experience does.”
Snapchat was warned by a group called Gibson Security on Christmas Eve that its mobile application contained a security flaw that could expose its users in the exact way that SnapchatDB managed to do. Days after the warning, Snapchat acknowledged the vulnerability on a company blog, but downplayed the seriousness of the security hole.
“Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match user names to phone numbers that way,” Snapchat said in the blog post, which was posted on Friday. “Over the past year, we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”
Snapchat had yet to comment early Thursday on the SnapchatDB hack.
Users can check if their information has been exposed by going to Snapcheck or Gibson Security Lookup.