The new year has started on a rather sour note for Snapchat, the self-destructing messaging app that gained massive popularity in 2013. Usernames and phone numbers of over 4.6 million Snapchat accounts have found their way online after hackers managed to weasel the data off the service.
SnapchatDB, where all the data has been posted in the form of an SQL dump and CSV text, contains details of users like their Snapchat ID and the linked phone number along with their locations. The hackers, however, censored the last two digits of the users’ phone numbers in order to “minimise spam and abuse”. In an interaction with The Verge, the alleged hackers and owners of SnapchatDB said “Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. Security matters as much as user experience does.”
What the hackers are referring to is Snapchat's inability to block a known vulnerability, despite claiming to have done so. Early last week, Gibson Security, a research group claimed to have found a hole in Snapchat’s security and its “find friends with phone numbers” function. Snapchat confirmed the issue but said that it had taken measures to protect user data. “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the US, they could create a database of the results and match usernames to phone numbers that way,” Snapchat said in a blogpost last week. “Over the past year we've implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”
It's this very vulnerability that Snapchat acknowledged that has been exploited. The domain name SnapchatDB has now been suspended. The owners of SnapchatDB wrote that users should “feel free” to contact them in case they wanted access to uncensored phone numbers. Usernames have not been censored, interestingly, since the group claims that people end up using the same username across multiple websites online. It also wrote that those who downloaded information could try to “find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.”
Even while reports have confirmed that this hack has been limited to mainly Snapchat users in the US and North America, The Next Web has reported of a tool to help check if your account has been compromised. The tool was created by developers Will Smidlein and Robbie Trencheny and is a checker script you can use to see if you data was leaked.