Snapchat confirms leak of 4.6M usernames, doesn't apologize

Two days after hackers used a publicly known API to download and publish a huge database of Snapchat usernames and phone numbers, Snapchat has finally responded.

Granted, the leak happened late New Year’s Eve, and yesterday was a holiday, so Snapchat’s response isn’t as slow as it might otherwise seem. But the blog post is notable in its lack of an apology.

Snapchat’s response includes a confirmation that Gibson Security’s Snapchat security report is correct and that it is what attackers used to get the database of 4.6 million usernames and their associated phone numbers.

A security group first published a report about potential Find Friends abuse in August 2013. Shortly thereafter, we implemented practices like rate limiting aimed at addressing these concerns. On Christmas Eve, that same group publicly documented our API, making it easier for individuals to abuse our service and violate our Terms of Use.

We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.

For researchers who find and alert companies to vulnerabilities, having their warnings go unheeded is troubling.

“They probably dismissed the bug as theoretical in our case, which was, very, very, frustrating,” a spokesperson for Gibson Security told VentureBeat. “Having any security vulnerabilities in a system is a bad thing. It doesn’t really matter how severe they are.”

The hackers seemed to share Gibson’s frustrations. Earlier today, those behind “SnapchatDB,” the database where 4.6 million Snapchat users’ phone numbers now sit, explained that they hacked Snapchat to send a message. They wanted to bring awareness to the vulnerability and force the self-destructing app to plug its holes.

“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” the hackers told The Verge. “Security matters as much as user experience does.”

How Snapchat is addressing the situation: It will issue a new version of the Snapchat application and will permit users to opt out of the “Find Friends” feature (which is the basis of the attack). It will also implement rate limiting, to restrict the number of usernames that attackers can download through this kind of exploit, and will add other unspecified limitations to its API.

Snapchat did not say when it would issue a new version of the app or make these changes to its API.

“I can understand [why they hacked Snapchat], and it’s probably going to get Snapchat to do something, but I think it was too far, and they could have at least censored more of the phone numbers,” said the Gibson Security spokesperson, who added, “We’re not affiliated with, nor have we communicated with, SnapchatDB.”

The hackers’ intentions, however, are to be questioned. When SnapchatDB was published, those behind it redacted the last two numbers in each phone number so as to minimize spam as much as possible. However, they also offered to give the uncensored database, saying, “Under certain circumstances, we may agree to release it.”

“I wasn’t sure what to think of that, if the motivation was genuine. But it’s very possible that they are a person who wants this fixed — but wants the money more,” said Gibson Security.

In the aftermath, the research company put together a tool to help Snapchat users find out if they’re a victim in this hack. The lookup is available on Gibson’s website. If you are a victim, be cautious of any text messages you may receive. Think twice about opening links as they may be malicious.

Yes, phones can be compromised as well. But Lookout Mobile principal security researcher Marc Rogers says you might be more at risk for harassment.

“Whats more likely is that these users will find them selves the victims of harassing phone calls or even unsolicited spam. There is also a slight risk that users can now be tied to messages they had sent previously which may or may not have consequences for their privacy,” he told VentureBeat.

Snapchat raised $50 million in a funding round led by Coatue Management earlier in December at a valuation rumored to be $2 billion. The company’s founders reportedly rejected a $3 billion acquisition offer from Facebook.

Additional reporting from Dylan Tweney.