Users of the rapidly growing photo sharing social app called Snapchat got some potentially bad news — and now the company has responded.
It’s estimated the names and phone numbers of about 4.6 million Snapchat members were published online by anonymous hackers at a site that’s since been taken down (although some information is still available via leaked databases).
If you are a Snapchat user and aren’t sure whether you’ve been affected, visit this site first. It was set up by a security group very close to the Snapchat problem. Only users within certain area codes in the United States were affected by the breach, according to the site.
You may remember Snapchat as the social startup that recently turned down a cool $3 billion from Facebook, which wanted to acquire the company. You may also remember that Snapchat specializes in a type of photo sharing in which temporary photos and brief messages are shared on the network for up to 10 seconds and then deleted. (The site actually notifies the sender if another user has made a copy of the message.) Also important is that messages are shared only with the connections you specifically designate – not to the entire world.
So with such an emphasis on allowing users to control with whom they are sharing messages, you would think that user privacy should have been a top priority.
However, it turns out that Snapchat was apparently warned twice about a vulnerability in its system and did not do enough to address the vulnerabilities.
In fact, Snapchat was reportedly contacted as early as August by an Australia-based company called Gibson Security, The Daily Caller reports. Gibson set up the site mentioned above for members to determine whether or not their accounts have been breached.
Then, last week Snapchat acknowledged the security group had posted a private communication detailing a specific method hackers could use to obtain private user information, but downplayed the problem. On its official blog, Snapchat explained:
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.
Yet, hackers apparently used a variation of the exact tactic spelled out by Gibson to successfully obtain user information from the site. Hackers who claimed responsibility for yesterday’s breach insisted they were trying to expose Snapchat’s security issues for everyone’s good. They told the Verge:
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. Security matters as much as user experience does.”
Snapchat today responded by emphasizing that the information released was limited to redacted phone numbers and usernames, not “snaps” (i.e., pictures shared). It also said that the vulnerability is related to the optional “Find Friends” feature and noted:
“We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.”
Image via SnapChat