Snapchat was one of the most popular apps of 2013. If you’re not familiar with the app, it allows users to send photos and messages that are quickly erased after a few seconds. This gave them the courage to send goofy, embarrassing, and often times explicit photos because they believe that the service is secure since everything gets deleted permanently.
But on Christmas Eve, Gibson Security revealed a flaw in Snapchat’s API that would allow the matching of usernames to phone numbers. Snapchat brushed off the warning, stating that “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.”
What Snapchat wrote about the service’s vulnerability was seen as a blatant disregard to its users’ security, so as with everything that ignores a warning, an attack on Snapchat was conducted.
The Snapchat API exploit resulted in 4.6 million usernames and phone numbers being exposed on a database appropriately dubbed as SnapchatDB. The site showed the username, phone number and origin of the user, but the last two digits of the phone numbers were obscured as well as parts of the usernames.
The database has since been taken down, not because the team behind the breach cares for people’s security, it’s just that the hosting provider has been overwhelmed with the traffic. Also, the SnapchatDB team says its open to divulging more information about the usernames and phone numbers.
So what triggered the hacking team to expose Snapshat’s flaw?
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” the team said in a response to an inquiry made by The Verge. “Security matters as much as user experience does.”
In its response, it added the team is not associated with Gibson Security, but did use the API flaw the security firm discovered.
The hackers also stated that this could all have been avoided if Snapchat had gotten in contact with Gibson Security to fix the flaw, but instead “Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale.”
As for who’s interested in the Snapchat data the hackers have acquired, the team stated “Security researchers from around the world, professors from various universities, private investigators and attorneys,” have contacted them for more information.
As for Snapchat, it hasn’t contacted the SnapchatDB team and it’s unlikely the creators of the app will since they have a history of brushing off important matters.