Snapchat, the popular photo messaging mobile service, has been hacked and as a result the details of 4.6 million user accounts have been posted online.
A website called SnapchatDB released the data with the intention of raising the public awareness about Snapchat’s vulnerabilities. SnapchatDB said it “censored the last two digits of the phone numbers” in order to “minimize spam and abuse,” however it is still possible that the full data could be released including millions of phone numbers. Although the website is now down, the data has been downloaded and is probably available if you look in the right places.
The story starts with a set of disclosures made by Gibson Security (GibsonSec) which were largely ignored by Snapchat. According to a blog post made by Snapchat a few days ago the disclosure by GibsonSec contains “allegation regarding a possible attack by which one could compile a database of Snapchat usernames and phone numbers.” The post went on to say that the disclosure was theoretical but the company did agree that “if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.”
Those allegations and theories seem to have become very real. According to comments made to TechCrunch by the founders of SnapchatDB, the hackers used a modified version of GibsonSec’s exploit/method. The hackers added that “Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t.”
SnapchatDB added that the motivation behind the exposure was to raise the awareness of security issues as “you wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.”
Gibson Security tweeted that it knows “nothing about SnapchatDB” by added that “it was a matter of time till something like that happened.” According to the hackers, Snapchat did make some changes once the scraping started but that it “is still possible to scrape this data on a large scale” as the changes are not hard to circumvent. GibsonSec, which is run by students, also said that the exploit still works with minor fixes.