January 2nd 2014
Photo messaging app Snapchat has been hacked, and the usernames and phone numbers of over 4.5 million users posted online. This – the latest in a series of high-profile attacks – emphasises the need to use different login details for your different online accounts, and highlights many organisations' lackadaisical approach to the security of their users' information.
Hackers exploited a security flaw which had been exposed by white-hat hackers last week. They used a modified version of the exploit to leak the information, which they made available for download on the website SnapchatDB.info, which has since been suspended. The message read: "You are downloading 4.6 million users' phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with."
In a statement to TechCrunch, a group-edited technology news and information blog on start-up businesses, the hackers wrote: "Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech start-ups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does." The statement continued: "Our main goal is to raise public awareness on how reckless many internet companies are with user information. It is a secondary goal for them, and that should not be the case."
The hackers said they had concealed the last two digits of users' phone numbers "to minimise spam and abuse," but said they may agree to release the uncensored database "under certain circumstances".
Gibson Security – the Australian white hat hackers who exposed the flaw – have emphasised that they were not involved in the leak. Responding to Gibson's warning last week, Snapchat had blogged: "Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the US, they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse."
A similar security flaw in Snapchat was revealed exactly one year ago, when users' email addresses were exposed.