Confirmed: Snapchat Hack Not A Hoax, 4.6M Usernames And Numbers Published

snapchat_uhohA site called SnapchatDB.info has saved usernames and phone numbers for 4.6 million accounts and made the information available for download. In a statement to us, SnapchatDB says that it got the information through a recently identified and patched Snapchat exploit and that it is making the data available in an effort to convince the messaging app to beef up its security. We’ve also reached out to Snapchat.
SnapchatDB said:

Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.

We used a modified version of gibsonsec’s exploit/method. Snapchat
could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.

We wanted to minimize spam and abuse that may arise from this release. Our main goal is to raise public awareness on how reckless many internet companies are with user information. It is a secondary goal for them, and that should not be the case. You wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.

Earlier we speculated that SnapchatDB might be a hoax meant to call attention to the app’s security issues but, as it turns out, it’s real–at least one member of our editorial team has been affected. A reader also told us he found his own number, that of several friends and Snapchat founder Evan Spiegel in the list. On Hacker News, several people have had trouble downloading the data files (I just got an error message for both of them, but that may be because of high traffic), but a Jailbreak subreddit user who saw the list said that only numbers in some parts of the U.S. have been published so far. If you have not been able to download the list, you can use this site created by developer Robbie Trencheny to see if your username was included.

Read more at Tech Crunch