Skip to main content

Snapchat Data Breach: What Went Wrong and What to Do

Last week, popular private-messaging service Snapchat was publicly warned that its app contained two critical security vulnerabilities, but the company did little to fix the flaws and dismissed the warning as "theoretical."

Yesterday (Jan. 1), someone used the vulnerabilities to collect more than 4.6 million user accounts and cellphone numbers from Snapchat's database.

If your username and cellphone number were exposed in this data breach, then all other online accounts that use the same username are also at risk. Change your passwords — and the usernames, if you can — on those other accounts.

MORE: Mobile Security Guide: Everything You Need to Know

The user data, briefly posted on a website called SnapchatDB.com, consists of usernames and matched cellphone numbers. The last two digits of every number are crossed out, although SnapchatDB's anonymous creators said they might reveal full cellphone numbers in the future.

The creators of SnapchatDB claim the data include the "vast majority" of Snapchat's users, but they appear to be exaggerating; Snapchat's userbase is allegedly three times the size of the data breach.  

A group of Reddit users analyzed the data and found that it consisted only of North American phone numbers, with only 76 of the United States' 322 area codes, and only two Canadian area codes, represented.

SnapchatDB.com, which appears to be hosted in Latvia, has since gone offline, but copies of the data continue to circulate on other websites.

Snapchat apparently has known about these vulnerabilities since August. On Christmas Day, Australian security research firm Gibson Security said that it had privately contacted Snapchat in August with news of the two flaws, in accordance with typical security research etiquette.

One of the flaws Gibson Security found could be used to create unlimited amounts of dummy Snapchat accounts in bulk. The other would let someone use a dummy account to search Snapchat's entire userbase for individuals' names and numbers. Together, these flaws could pose a serious threat to Snapchat's much-vaunted secure and private messaging service.

Gibson Security said Snapchat neither thanked the security firm for finding the flaws nor did anything to fix the flaws. So Gibson Security did a little hands-on demonstration to show Snapchat how serious the flaws were.

On Dec. 24, 2013 (Dec. 25 in Australia, where the company is based), Gibson Security posted an explanation of the two flaws, as well as the code for Snapchat's mobile API (application programming interface), on its website.

APIs, also called developer hooks, let third parties bypass the interface that regular users see to access Snapchat's huge database of account info in order to build new features and plugins.  

It appeared that anyone could use the information Gibson revealed to make a clone of Snapchat's Android or iOS API, giving them access to Snapchat's database, and then use the flaws to create fake accounts, gather information on other users, and spam or even stalk them.

Publicly revealing unaddressed security flaws is also a fairly established practice among third-party security researchers. Gibson says their intention was to force Snapchat to pay attention to them and take the vulnerability seriously.

However, Snapchat didn't seem to be worried. In a Dec. 27 blog post, the company hypothesized that the information Gibson revealed could be used to "theoretically… upload a huge set of phone numbers…[and] create a database of the results and match usernames to phone numbers that way."

Snapchat then dismissed that possibility, writing that "Over the past year, we've implemented various safeguards to make it more difficult to do."

However, Snapchat's safeguards were not enough. Using the API code and vulnerabilities revealed by Gibson — and, from the looks of it, the "theoretical" strategy that Snapchat itself outlined — the creators of SnapchatDB paired 4.6 million North American phone numbers with their associated Snapchat usernames.

"Even now, the exploit persists," SnapchatDB's creators told TechCrunch in an emailed statement. "It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent."

The data collection is not a true hack; it simply uses Snapchat's own tools to massively scrape data from Snapchat's own servers, much in the way a Google search-engine "spider" collects data from websites for archiving.

The scraping script may have taken advantage of the Snapchat app's contact-list feature, which combs a user's contact lists for cellphone numbers and then runs those numbers against Snapchat's servers for matches.

If you have a Snapchat account, you can check to see if your account was leaked using this tool by Gibson Security, or another called Snapcheck.org. You could also simply download the database yourself — a simple Google search will bring it up — and do a manual search for your username or phone number.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

  • bmwman91
    lol

    Should have taken the $3B when they had the chance.....
    Reply
  • ddpruitt
    Snapchat Data Breach: What Went Wrong

    I thing the answer is the same as pretty much any other major security breach. Security was/is and ancillary concern, someone let them know there was a flaw you could run the titanic through, they didn't want to spend money to fix it, and the rest is history. Until companies take security as a serious threat to their bottom line they're not going to do anything to improve it, we've seen this over and over again.
    Reply
  • lockhrt999
    Right in the nuts, ouch!
    Reply
  • ssalim
    This is why I don't have/use facebook, twitter or snapchat.
    Reply
  • rRansom
    Hey, we found a bug in your system. No? You don't want to fix it? Yeah, let me just let the world know how bad your security is. Case closed.
    Reply
  • Steve_Lockstep
    It's not really responsible to encourage people to click on links that purport to tell you if you're affected by this or any other breach. There are dozens of such links tweeting around that are probably phishing scams.
    Given the nature of this breach -- someone used a now well-known API to poll the database millions of times -- we should probably simply assume that the entire Snapchat database has been accessed (even if only 4.6M records have been posted). If you are not in the 4.6M then you annot be sure you're safe. And what are people going to do in any event? Change their phone number? It's too late! The grave thing about breached phone numbers is that they are going to be used by organised criminals as indices to link multiple data sets; the phone number in itself is almost irrelevant. Nobody should ever give their phone number to a social site.
    The long term personal ramifications could be card fraud or identity takeover. The only ting people can do if they're Snapchat users is to stay vigilant, closely watch their card statements, maybe subscribe to a credit watch service ... all of which is good advice these days regardless.
    Reply
  • alextheblue
    You're recommending a password change... were passwords leaked as well?

    "The data collection is not a true hack; it simply uses Snapchat's own tools to massively scrape data from Snapchat's own servers, much in the way a Google search-engine "spider" collects data from websites for archiving."

    Everything I've read to date makes it sound like they've mass-scraped usernames and phone numbers (which is bad enough) but I haven't heard anything about passwords being compromised.
    Reply
  • deborahjmurray
    my classmate's aunt makes $76 an hour on the internet. She has been unemployed for eight months but last month her check was $20677 just working on the internet for a few hours. check this =============> www.jobs39.com
    Reply
  • lindagharnden
    til I saw the receipt saying $8589, I accept ...that...my best friend was like they say actualy erning money part-time on their laptop.. there best friend haz done this less than twenty one months and just now repaid the morgage on there home and bourt a top of the range Citroën DS. read more►●►●►●► www.jobs39.com
    Reply
  • 11796pcs
    I'm hoping someone goes in and deletes everything on Snapchat's servers.
    Reply