It didn’t take long for hackers to exploit a previously disclosed vulnerability in the popular photo sharing application Snapchat. As yet unidentified hackers spent yesterday’s New Year’s holiday dumping 4.6 million of the service’s usernames and partial phone numbers and posting them online for the public to peruse.
The site that was hosting the slew of information, SnapchatDB.info, remains offline this afternoon. In its place a note from the site’s hosting company acknowledges the account corresponding to the site has been suspended.
For a short time yesterday the site allowed anyone to download all of the leaked data as either a SQL dump or CSV text file.
The hackers responsible for disclosing the information claim they omitted the last two digits of the leaked phone numbers to “minimize spam and abuse” but encouraged interested parties to contact them for the full database.
“Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it,” read one part of the site, which has been since cached on Google.
Information about the site is sparse but according to whois.domaintools.com, someone whose address and phone number can be traced to Panama registered the site on New Year’s Eve.
It isn’t clear if the leaked information is legitimate but the fact that the site was taken offline so fast suggests there may have been some validity to the hack and that that due to the sensitive nature of the data, the company may have had it removed.
Representatives from the company failed to immediately respond to a request for comment Thursday.
News of the hack spread first on YCombinator’s Hacker News site. From there some sleuths on Reddit were able to comb through the millions of phone numbers to deduce that the average Snapchat user has a better chance of not being on the list than being on it.
Based on the leaked telephone area codes, if the phone number attached to a Snapchat account is based in one of the following states, the account’s information likely isn’t in the database:
- Alaska
- Delaware
- Hawaii
- Kansas
- Maryland
- Mississippi
- Missouri
- Montana
- Nebraska
- Nevada
- New Hampshire
- New Mexico
- North Carolina
- North Dakota
- Oklahoma
- Oregon
- Rhode Island
- Utah
- Vermont
- West Virginia
- Wyoming
The leaked phone numbers appear to be largely contained to North America and includes users from major cities across the United States (Los Angeles, Chicago, Denver, etc.) and some remote parts of Northern Canada.
Researchers at Gibson Security warned about the bug in a full disclosure post on their site Christmas Eve claiming it was “ridiculously easy” to use Snapchat’s API to match its users’ phone numbers with usernames on a massive scale. According to the researchers, despite disclosing the bug to the company in August, Snapchat hadn’t made any moves to fix the issue in the last five months.
Snapchat went as far as to dismiss Gibson Security’s claims in a blog post last Friday, claiming the company doesn’t display phone numbers to other users and doesn’t support the ability to look up phone numbers by username. The group tried to quell fears by claiming they’ve “implemented counter-measures and continue to make improvements to combat spam and abuse.”
What could prove to be quite the blunder for Snapchat is that the company may actually helped the hackers by suggesting how to create a database like the one that was leaked in the same blog post.
“Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database if the results and match usernames to phone numbers that way,” warned the post.
It appears the hackers were able to do just that, just on a lesser scale.
It’s not yet certain what percentage of Snapchat’s users may have been put at risk by the hack. The app was used by more than 8 million U.S. users in May 2013 according to data provided by Nielsen this past summer but it’s almost positive that figure has jumped since, especially in wake of the app’s increased popularity.
As a service to anyone who might be worried their account information is out there, Gibson have put together a searchable, web-based tool that allows users to verify whether or not their data has been leaked.
