Anonymous hackers stole millions of usernames and phone numbers from popular smartphone photo-sharing app Snapchat and posted users’ information online on Wednesday.
The hackers published the personal information of 4.6 million Snapchat users on snapchatdb.info, but the domain name has since been suspended.
“The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it,” the statement on hackers’ website explained.
Snapchat’s record security breach comes less than a week after the company publicly dismissed the possibility raised by Australian-based Gibson Security in August that its friend-search feature could be hacked and used to identify users’ phone numbers.
In a company blog post published last week — months after Gibson Security identified the problem — Snapchat said such a breach was possible but unlikely, and that they had taken steps to correct the issue.
“Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way,” Snapchat said. “Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”
Those claiming responsibility for the hack said their goal was to expose the company’s poor response to a major security breach that left its users’ information poorly protected.
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” the hackers told TechCrunch. “It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.”
The last two digits of the phone numbers were omitted from the post “in order to minimize spam and abuse,” according to the hackers. Despite their seemingly good intentions, the hackers also said should anyone contact them, they would agree to release the uncensored list “under certain circumstances.”
“We used a modified version of [Gibson Security's] exploit / method,” the hackers told The Verge. “Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to take the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale.”
Various reports estimate the number of Snapchat users at around 8 million, while Google downloads alone are estimated to be in the 10 million to 50 million range. Using the method described by Gibson Security, hackers could potentially check 10,000 phone numbers every seven minutes.
Snapchat users can find out if their accounts have been hacked by looking up their usernames with a new tool — but even if their accounts were deleted, their phone numbers may remain in leaked, searchable databases.