A recent hack of the popular photo service Snapchat left usernames and phone numbers exposed to the world. In fact, 4.6 million user names and phone numbers have been leaked. This was done in an attempt to raise awareness about Snapchat’s insecure service practices. The company was warned about these security issues, but the advice was ignored. This, in turn, lead to drastic action… like exposing 4.6 million phone numbers.
Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.
We used a modified version of gibsonsec’s exploit/method. Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.
We wanted to minimize spam and abuse that may arise from this release. Our main goal is to raise public awareness on how reckless many internet companies are with user information. It is a secondary goal for them, and that should not be the case. You wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.
You can now check if you were one of the lucky 4.6 million people to get their phone numbers leaked, Hit the source link, enter your user name and the site will tell you if you’re a victim of Snapchat’s ignorance and a hacker’s goals. Unfortunately, my number was leaked.
If you don’t want to support a company that takes security so lightly, I suggest you delete your Snapchat account and uninstall the app. I definitely won’t be using the service if they treat our personal information so poorly. This should be a lesson to all small companies: make sure your app is secure before ever making it public.
Did your number leaked?