Millions of phone numbers and usernames were exposed in a hack of an app that’s especially popular among teens.
Snapchat, which is among the newer social media apps that experts say is diluting Facebook’s popularity, is a phone messaging app that allows users to send photos or brief messages. The appeal of the app is that it only hosts up to 10 seconds before it’s deleted.
But Gibson Security before Christmas posted information on its website that showed how user information could be compromised due to a security flaw on Snapchat’s part.
Here’s Snapchat’s full statement about the Gibson’s information (emphasis added):
Occasionally computer security professionals and other helpful people reach out to us about potential bugs and vulnerabilities in Snapchat. We are grateful for the assistance of professionals who practice responsible disclosure and we’ve generally worked well with those who have contacted us.
This week, on Christmas Eve, a security group posted documentation for our private API. This documentation included an allegation regarding a possible attack by which one could compile a database of Snapchat usernames and phone numbers.
Our Find Friends feature allows users to upload their address book contacts to Snapchat so that we can display the accounts of Snapchatters who match the phone numbers found in the address book. Adding a phone number to your Snapchat account is optional, but it’s helpful for allowing your friends to find you. We don’t display the phone numbers to other users and we don’t support the ability to look up phone numbers based on someone’s username.
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.
But this theoretical situation became not so theoretical on New Year’s Eve when a database, which is now offline, was posted with 4.6 million Snapchat usernames and phone numbers.
“The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it,” the hackers wrote on the database’s website, according to GigaOM.
So now, it’s important to check if your — or your kid’s — account information has been compromised.
Will Smidlein and Robbie Trencheny created a tool Snapchat users can use to check their status in the leak.
Smidlein told Mashable they created the tool to “help the public quickly understand if they were affected so that they could take the appropriate actions.”
If you find your data was leaked, Gibson Security has a few orders of business for you.
First and foremost, you can delete your Snapchat account here - sadly, this won’t remove your phone number from the already circulating leaked database.
If you feel that you’d rather unscrupulous entities not potentially have your phone number, you’re free to contact your phone TelCo, and request that they give you a new number. If you detail the breach, they’ll almost certainly give you a new one.
Lastly, ensure that your security settings are up to scratch on your social media profiles. Be careful about what data you give away to sites when you sign up – if you don’t think a service requires your phone number, don’t give it to them.
Watch this report about the hack from WPIX-TV:
Check if your information was compromised using the tool on GS Lookup.
(H/T: Daily Mail)