Could 4.6 Million Phone Numbers Be Released on Snapchat?
Anonymous hackers posted information, and another reality check, for millions of online account holders, this time users of the online service known as "Snapchat."
More than 4.6 million accounts were listed with telephone numbers displayed but partially censored. The website, www.snapchatdb.info/, has since been disabled, at least temporarily, but those who posted the information said it could be released again under certain circumstances.
Snapchat is a photo-sharing website that, in addition to pictures, stores location information about users.
The "attack" comes after Snapchat was recently criticized over its perceived failure to address security issues with its database. In a blog on its website Snapchat responded to those concerns, but not to the satisfaction of many who say that the site still leaves users vulnerable.
On December 27, 2013 the Snapchat posted the following:
"Occasionally computer security professionals and other helpful people reach out to us about potential bugs and vulnerabilities in Snapchat. We are grateful for the assistance of professionals who practice responsible disclosure and we’ve generally worked well with those who have contacted us.
This week, on Christmas Eve, a security group posted documentation for our private API. This documentation included an allegation regarding a possible attack by which one could compile a database of Snapchat usernames and phone numbers.
Our Find Friends feature allows users to upload their address book contacts to Snapchat so that we can display the accounts of Snapchatters who match the phone numbers found in the address book. Adding a phone number to your Snapchat account is optional, but it’s helpful for allowing your friends to find you. We don’t display the phone numbers to other users and we don’t support the ability to look up phone numbers based on someone’s username.
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.
In a December 27, 2013 article in the technology and culture magazine The Verge author Jacob Kastrenakes makes reference to the statement by private research firm Gibson Security, which says that "...a hacker could check 10,000 phone numbers in just seven minutes." That news may scare some, especially for those with young persons in their family who use photo-sharing services.
Gibson made the disclosure after making a similar revelation on August 27, 2013. Under the "Foreword and Notes" section of their latest website release about Snapchat, Gibson representatives say, "Seeing that nothing had been really been improved upon (although, stories are using AES/CBC rather than AES/ECB, which is a start), we decided that it was in everyone's best interests for us to post a full disclosure of everything we've found in our past months of hacking the gibson."
Whether the issue is a valid concern or not will ultimately be left up to users of Snapchat, who - through their decision to continue use of the website or not - will ultimately decide whether the service is worth any perceived risk.