Snapchat has belatedly acknowledged the leak of some 4.6 million usernames and telephone numbers earlier this week in an official blog post.
In its post, Snapchat stated that Gibson Security published a report back in August 2013 that warned of the risk of potential ‘Find Friends’ abuse and addressed the issue via rate limiting aimed at addressing these concerns. Gibson Security was the same security firm that later published Snapchat’s API weakness on Christmas Eve, which the company dismissed at the time.
Noticeably, not once did Snapchat apologize to its users for the breach. In fact, it didn’t seem to express any remorse, nor admit any guilt at all about the fact that so many of its users were hacked and the personal information posted online.
They did, at least, promised to improve both the service and app in the coming weeks:
“We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in ‘Find Friends’ after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service,” Snapchat wrote.
Snapchat didn’t bother get in touch with Gibson Security after the security report was released, and that’s why it’s come in for so much criticism over the breach. Had it done so, the hack could well have been avoided. Instead, all Snapchat did was to post its email address, firstname.lastname@example.org, so security researchers could contact them if they find any other security flaws in the app.
The persons behind the data leak, SnapchatDB, stated that they did so to raise public awareness around security issues, and to put pressure on Snapchat to fix the exploit.
This has almost been like a lesson in public humility, since Snapchat blatantly chose to ignore Gibson Security’s warning, and it immediately paid the price for doing so.