Snapchat blames feature 'abuse' for phone number and username leak, issues no apology
Snapchat has received quite a bit of publicity after allegedly turning down buyout offers of billions of dollars from Facebook and Google. Now, the service is in the spotlight once again following a leak which exposed 4.6 million phone numbers and usernames.
Snapchat has responded to the leak in a blog post, which explains that the culprit is actually an abuse of the Find Friends feature. According to the service, "it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve [sic], an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks".
Snapchat admits knowing about the hack, and said that, "shortly after", it "implemented practices like rate limiting aimed at addressing these concerns". A previous blog post tried to assuage concerns of a possible leak of phone numbers and usernames. "Over the past year we've implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse", says Snapchat. Clearly, not enough was done to prevent the leak.
Gibson Security is responsible for discovering the "potential Find Friends abuse" (as the service calls it), informing Snapchat and publishing a report about it earlier last year. The exploit was publicly documented, by the same group, on Christmas. Another group, responsible for the SnapchatDB which contains the affected phone numbers and usernames, leaked the data on New Year's Eve, because Snapchat allegedly did not "care enough to implement something as simple as rate limiting", to fix the problem.
Snapchat has promised that updated apps will be released, which will allow its users to opt out of showing up in Find Friends results after verifying their phone number. The service also promises that rate limiting will be improved, and other restrictions will be set in place in order to prevent future attempts of "abuse". There is even a new email address -- security at Snapchat dot com -- for security experts to use after discovering ways to hack Snapchat.
Some users, however, are disappointed that Snapchat did not issue a public apology after millions of usernames and phone numbers (possibly theirs too) were leaked. Considering that, according to the hackers, the data was exposed with only minor tweaks to the original exploit that Snapchat was contacted about earlier, and it happened just days after Snapchat promised it had beefed up its security, expecting such an apology is fully understandable.