Snapchat confirms the leak of 4.6 Million Usernames And Phone Numbers

Here is Snapchat's statement in response to news about 4.6 million usernames and phone numbers have been leaked.
Hackers used a publicly-known API to download and publish a huge database of Snapchat usernames and phone numbers, Snapchat has finally gave official statement.
Snapchat’s response includes a confirmation that Gibson Security’s Snapchat security report is correct, and that it is what attackers used to get the database of 4.6 million usernames and their associated phone numbers.

When we first built Snapchat, we had a difficult time finding other friends that were using the service. We wanted a way to find friends in our address book that were also using Snapchat – so we created Find Friends. Find Friends is an optional service that asks Snapchatters to enter their phone number so that their friends can find their username. This means that if you enter your phone number into Find Friends, someone who has your phone number in his or her address book can find your username.

A security group first published a report about potential Find Friends abuse in August 2013. Shortly thereafter, we implemented practices like rate limiting aimed at addressing these concerns. On Christmas Eve, that same group publicly documented our API, making it easier for individuals to abuse our service and violate our Terms of Use.

We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.

We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.

We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com.

The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse.

A security group first published a report about potential Find Friends abuse in August 2013. Shortly thereafter, we implemented practices like rate limiting aimed at addressing these concerns. On Christmas Eve, that same group publicly documented our API, making it easier for individuals to abuse our service and violate our Terms of Use.

We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.

For researchers who find and alert companies to vulnerabilities, having their warnings go unheeded is troubling.

“They probably dismissed the bug as theoretical in our case, which was, very, very, frustrating,” a spokesperson for Gibson Security told VentureBeat. “Having any security vulnerabilities in a system is a bad thing, it doesn’t really matter how severe they are.”

The hackers seemed to share Gibson’s frustrations. Earlier today those behind “SnapchatDB,” the database where 4.6 million Snapchat users’ phone numbers now sit, explained that they hacked Snapchat to send a message. They wanted to bring awareness to the vulnerability and force the self-destructing app to plug its holes.

“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” the hackers told The Verge. “Security matters as much as user experience does.”

How Snapchat is addressing the situation: It will be issuing a new version of the Snapchat application, and will allow users to opt out of the “Find Friends” feature (which is the basis of the attack). It is also going to implement rate limiting, to restrict the number of usernames that attackers can download through this kind of exploit, and will add other unspecified limitations to its API.

Snapchat did not say when it would issue a new version of the app or make these changes to its API.

“I can understand [why they hacked Snapchat], and it’s probably going to get Snapchat to do something, but I think it was too far, and they could have at least censored more of the phone numbers,” said the Gibson Security spokesperson who added, “We’re not affiliated with, nor have we communicated with SnapchatDB.”

The hackers’ intentions, however, are to be questioned. When SnapchatDB was published, those behind it redacted the last two numbers in each phone number so as to minimize spam as much as possible. However, they also offered to give the uncensored database saying, “Under certain circumstances, we may agree to release it.”

“I wasn’t sure what to think of that, if the motivation was genuine. But it’s very possible that they are a person who wants this fixed, but wants the money more,” said Gibson Security.

In the aftermath, the research company put together a tool to help Snapchat users find out if they’re a victim in this hack. The lookup is available on Gibson’s website. If you are a victim, be cautious of any text messages you may receive. Think twice about opening links as they may be malicious.

Yes, phones can be compromised as well. Many malicious links could result in something called toll fraud where hackers will use your phone to send premium text messages that cost money.

Sources:
VentureBeat
Business Insider

Newer Post Older Post