A Snapchat security breach affects 4.6 million users. Did Snapchat drag its feet on a fix? By Brian Fung
Snapchat users are waking up to troubling news: Thanks to a gap in the service's security, the phone numbers and usernames for as many as 4.6 million accounts have been downloaded by a Web site calling itself SnapchatDB.info.
The hack appears to be real, affecting at least one member of the TechCrunch editorial team and possibly Snapchat founder Evan Spiegel himself.
To see whether your account is among the compromised, you can use this basic Web site, whipped up by a couple of developers named Robbie Trencheny and Will Smidlein, that simply checks the list for your details.
SnapchatDB reportedly gained access to the Snapchat data through a vulnerability disclosed by a group of security researchers last week. In a report posted on Christmas Day, Australia-based Gibson Security explained how the app's Android and iOS API could be hacked to expose user information.
Two days later, Snapchat wrote a blog post saying it was no big deal -- that it had put in place some obstacles to "make it more difficult to do."
"We are grateful for the assistance of professionals who practice responsible disclosure," Snapchat said, "and we’ve generally worked well with those who have contacted us."
Yet SnapchatDB's exploit suggests that whatever safeguards the company put in place weren't enough.
"Even now the exploit persists," SnapchatDB said in a statement. "It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent."
The people behind SnapchatDB also accused Snapchat of being sluggish to respond to the Gibson Security team from the outset, charging that the company failed to reply to the Australian researchers privately until after they posted the existence of the vulnerabilities on the Web.
SnapchatDB isn't entirely blameless in this incident, either, however. By releasing the database into the open, they've exposed the personal information of Snapchat's users. The goal may have been to get Snapchat's attention -- if they weren't listening before, they must be now -- but consumers are stuck in the middle with nowhere to go.
Snapchat hasn't replied to a request for comment Wednesday morning (we'll update this post if they do). But its Dec. 27 blog post didn't say that the exploit had been conclusively resolved -- just that it had thrown some obstacles in the path of would-be hackers. If the accusations about Snapchat's response time prove true, it implies a pretty cavalier attitude on its part toward security -- not to mention the privacy its vanishing photos are meant to provide in the first place.