Last week, popular private-messaging service Snapchat was publicly warned that its app contained two critical security vulnerabilities, but the company did little to fix the flaws and dismissed the warning as "theoretical."
Yesterday (Jan. 1), someone used the vulnerabilities to collect more than 4.6 million user accounts and cellphone numbers from Snapchat's database.
If your username and cellphone number were exposed in this data breach, then all other online accounts that use the same username are also at risk. Change your passwords — and the usernames, if you can — on those other accounts.
The user data, briefly posted on a website called SnapchatDB.com, consists of usernames and matched cellphone numbers. The last two digits of every number are crossed out, although SnapchatDB's anonymous creators said they might reveal full cellphone numbers in the future.
The creators of SnapchatDB claim the data include the "vast majority" of Snapchat's users, but they appear to be exaggerating; Snapchat's userbase is allegedly three times the size of the data breach.
A group of Reddit users analyzed the data and found that it consisted only of North American phone numbers, with only 76 of the United States' 322 area codes, and only two Canadian area codes, represented.
SnapchatDB.com, which appears to be hosted in Latvia, has since gone offline, but copies of the data continue to circulate on other websites.
Snapchat apparently has known about these vulnerabilities since August. On Christmas Day, Australian security research firm Gibson Security said that it had privately contacted Snapchat in August with news of the two flaws, in accordance with typical security research etiquette.
One of the flaws Gibson Security found could be used to create unlimited amounts of dummy Snapchat accounts in bulk. The other would let someone use a dummy account to search Snapchat's entire userbase for individuals' names and numbers. Together, these flaws could pose a serious threat to Snapchat's much-vaunted secure and private messaging service.
Gibson Security said Snapchat neither thanked the security firm for finding the flaws nor did anything to fix the flaws. So Gibson Security did a little hands-on demonstration to show Snapchat how serious the flaws were.
On Dec. 24, 2013 (Dec. 25 in Australia, where the company is based), Gibson Security posted an explanation of the two flaws, as well as the code for Snapchat's mobile API (application programming interface), on its website.
APIs, also called developer hooks, let third parties bypass the interface that regular users see to access Snapchat's huge database of account info in order to build new features and plugins.
It appeared that anyone could use the information Gibson revealed to make a clone of Snapchat's Android or iOS API, giving them access to Snapchat's database, and then use the flaws to create fake accounts, gather information on other users, and spam or even stalk them.
Publicly revealing unaddressed security flaws is also a fairly established practice among third-party security researchers. Gibson says their intention was to force Snapchat to pay attention to them and take the vulnerability seriously.
However, Snapchat didn't seem to be worried. In a Dec. 27 blog post, the company hypothesized that the information Gibson revealed could be used to "theoretically… upload a huge set of phone numbers…[and] create a database of the results and match usernames to phone numbers that way."
Snapchat then dismissed that possibility, writing that "Over the past year, we've implemented various safeguards to make it more difficult to do."
However, Snapchat's safeguards were not enough. Using the API code and vulnerabilities revealed by Gibson — and, from the looks of it, the "theoretical" strategy that Snapchat itself outlined — the creators of SnapchatDB paired 4.6 million North American phone numbers with their associated Snapchat usernames.
"Even now, the exploit persists," SnapchatDB's creators told TechCrunch in an emailed statement. "It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent."
The data collection is not a true hack; it simply uses Snapchat's own tools to massively scrape data from Snapchat's own servers, much in the way a Google search-engine "spider" collects data from websites for archiving.
The scraping script may have taken advantage of the Snapchat app's contact-list feature, which combs a user's contact lists for cellphone numbers and then runs those numbers against Snapchat's servers for matches.
If you have a Snapchat account, you can check to see if your account was leaked using this tool by Gibson Security, or another called Snapcheck.org. You could also simply download the database yourself — a simple Google search will bring it up — and do a manual search for your username or phone number.
- 7 Ways to Lock Down Your Online Privacy
- 12 More Things You Didn't Know Could Be Hacked
- 13 Security and Privacy Tips for the Truly Paranoid