April 17, 2014

Snapchat hack results in 4.6 million accounts being posted online

snapchat-logoSnapchat, the popular  photo messaging mobile service, has been hacked and as a result the details of 4.6 million user accounts have been posted online.

A website called SnapchatDB released the data with the intention of raising the public awareness about Snapchat’s vulnerabilities. SnapchatDB said it “censored the last two digits of the phone numbers” in order to “minimize spam and abuse,” however it is still possible that the full data could be released including millions of phone numbers. Although the website is now down, the data has been downloaded and is probably available if you look in the right places.

The story starts with a set of disclosures made by Gibson Security (GibsonSec) which were largely ignored by Snapchat. According to a blog post made by Snapchat a few days ago the disclosure by GibsonSec contains “allegation regarding a possible attack by which one could compile a database of Snapchat usernames and phone numbers.” The post went on to say that the disclosure was theoretical but the company did agree that “if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.”

Those allegations and theories seem to have become very real. According to comments made to TechCrunch by the founders of SnapchatDB, the hackers used a modified version of GibsonSec’s exploit/method. The hackers added that “Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t.”

SnapchatDB added that the motivation behind the exposure was to raise the awareness of security issues as “you wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.”

Gibson Security tweeted that it knows “nothing about SnapchatDB” by added that “it was a matter of time till something like that happened.”  According to the hackers, Snapchat did make some changes once the scraping started but that it “is still possible to scrape this data on a large scale” as the changes are not hard to circumvent. GibsonSec, which is run by students, also said that the exploit still works with minor fixes.

Microsoft’s Indian Online Store Hacked

(LiveHacking.Com) – It appears that Microsoft’s online store in India was hacked over the weekend. During the hack the site was defaced and user information exposed including unencrypted passwords. Initially Microsoft didn’t comment on the attack, which is very embrassing for the Redmond company. However they have now commented:

“Microsoft is investigating the limited compromise of the company’s online store in India,” a Microsoft spokesperson told SecurityWeek. “Customers have been notified and provided with guidance to reset their passwords. We are diligently working to remedy the incident and keep our customers protected.”

The hacker taking credit for the attack is known as “7z1&Ancker” and is claiming to be part of “EvilShadow Team”. Microsoft quickly took the site offline once the attack was discovered and it currently remains unavailable.

A Microsoft spokeswoman told Reuters: “The store customers have already been sent guidance on the issue and suggested immediate actions. We are diligently working to remedy the issue and keep our customers protected.”

The website is operated for Microsoft by Indian company Quasar Media.