When you hear that 4.6 million usernames and partial phone numbers have been published online, it’s easy to blame the publisher, but what about the company that may have left all that private data hanging so low on the tree?
Snapchat is one of the hottest names in tech right now. The company, which could be worth $3 billion, makes an app that lets users send ephemeral picture and video messages to one another. It has reportedly rebuffed buyout offers from Facebook and Google, citing its explosive growth rate.
But all is not well in the sexting kingdom. On Christmas Eve, a company called Gibson Security warned that Snapchat was vulnerable to a specific exploit, a way for another party to gain access to its data. A few days later, someone posted millions of usernames and phone numbers (with a couple digits redacted) online.
A person or group claiming responsibility for that hack has since communicated with The Verge:
The individual or team claiming responsibility for SnapchatDB has responded to The Verge’s requests for comment the morning after the database went online, containing a leaked collection of some 4.6 million apparent Snapchat usernames and partial phone numbers. “Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” they say. “Security matters as much as user experience does.”
Giving organizations a specific timeframe in which to fix a security flaw in their product before releasing details to the public is a common tactic among white-hat hackers, designed to put pressure on developers to fix the flaws as quickly as possible. In Snapchat’s case, the leak comes just days after a blog post in which Snapchat alluded to a flaw posted on Christmas Eve by Gibson Security that alleged it could match thousands of phone numbers to usernames every few minutes. “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way,” Snapchat wrote.
Indeed, that appears to be what the team behind SnapchatDB did: “We used a modified version of [Gibson Security’s] exploit/method,” they tell The Verge. “Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale.”
Much of Snapchat’s allure is that messages can be viewed for only a few seconds and users living in the age of Big Brother and Big Data can feel comfortable sharing private, intimate and perhaps embarrassing communications. If it’s true that Snapchat doesn’t take security seriously enough, as alleged, then it could take the shine off that intimation of secrecy.