FutureFive New Zealand - Consumer technology news & reviews from the future
Story image
Fri, 3rd Jan 2014
FYI, this story is more than a year old

Up to 4.6 million Snapchat users have been hacked, with website SnapchatDB.info taking responsibility for the security breach.

Saving usernames and phone numbers of the accounts, the website has since made the information available for download, in an apparent bid to force the messaging app to increase security.

“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” SnapchatDB.info told tech website TechCrunch.

“It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal.

“Security matters as much as user experience does.”

The website used a modified version of gibsonsec’s exploit/method, and claimed Snapchat could have “easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t.”

“Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data,” the website told TechCrunch.

“Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough.

“Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.

“We wanted to minimize spam and abuse that may arise from this release. Our main goal is to raise public awareness on how reckless many internet companies are with user information.

“It is a secondary goal for them, and that should not be the case. You wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.”

Snapchat…

In response to the breach, an official Snapchat spokesperson told TechCrunch:

“Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.

”Over the past year we’ve implemented various safeguards to make it more difficult to do.”