The incident comes just days after Snapchat acknowledged a potential flaw that would allow exposure of usernames and phone numbers.
January 1, 2014 11:31 AM PST
Heads up, Snapchat users: someone has allegedly comprised 4.6 million accounts, potentially exposing your usernames and phone numbers.
The Snapchat account information apparently had been posted to a site called SnapchatDB.info by an individual or group determined to prod the 2-year-old photo-sharing service, which has more than 8 million adult users in the US alone, into shoring up its security. Sometime after the hack was first revealed overnight, the SnapchatDB site went offline, perhaps because of all the attention it attracted: “This account has been suspended,” reads the brief note at the Web site. “Either the domain has been overused, or the reseller ran out of resources.”
Apology agonistes? Don’t blame Snapchat — blame yourselves
Understanding Snapchat: Why nothing is everything
5 things to expect in social in 2014
Does Missouri topless mom case prove Snapchat is pointless?
Instagram treks into well-worn territory with direct messages
The phone numbers that were revealed were not quite complete. SnapchatDB reportedly blocked out the last two digits in a small, but likely incomplete, gesture toward preserving users’ privacy.
The incident, which affects users primarily in the US, comes just a few days after Snapchat acknowledged a potential vulnerability that would allow “a possible attack by which one could compile a database of Snapchat usernames and phone numbers.” At that time, Snapchat even described how such an attack might be constructed — a description suggestive of the framework that may have been used by SnapchatDB — even as it said it has taken preventive measures:
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.
Whoever is behind SnapchatDB told the Verge that Snapchat had not, in fact, taken sufficient action to protect users’ data: “Once we started scraping on a large scale, they decided to implement minor obstacles, which were still far from enough.
Even now the exploit persists. It is still possible to scr**e this data on a large scale.”
Snapchat’s blog post and SnapchatDB’s actions stemmed from a Christmas Eve post by Gibson Security detailing Snapchat code that would allow access to Snapchat user information.
CNET has contacted Snapchat for comment and will update this story when we hear back.