Hackers claim to expose phone information of 4.6 million Snapchat users

A security firm had pointed to a vulnerability that could help attackers find the phone numbers of many users

Phone numbers paired with user names of over 4.6 million alleged Snapchat users were posted online by hackers, a few days after a security research group claimed a vulnerability in the social sharing service that could allow attackers to match phone numbers to Snapchat accounts.

"This database contains username and phone number pairs of a vast majority of the Snapchat users," said a post on website SnapchatDB.info. The account has since been suspended, apparently by the hosting service. A cached version of the site can be viewed here.

The information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue, according to the post. "The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it," it added.

The hackers said they had "censored" for now the last two digits of the phone numbers in order to minimize spam and abuse, but asked people to contact them for the uncensored database, which they may agree to release under certain circumstances.

Gibson Security had published proof-of-concept code last week that takes advantage of the "find_friends" feature in the Snapchat application programming interface (API) to iterate and match the phone numbers of users to their Snapchat accounts in a short period of time. Gibson first revealed the vulnerability and other issues in August.

"Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way," Snapchat wrote in response last week. "Over the past year we've implemented various safeguards to make it more difficult to do," it added. "We recently added additional counter-measures and continue to make improvements to combat spam and abuse."

After the release of the SnapchatDB database, Gibson said in a Twitter message that it knew nothing about SnapchatDB, but it was a matter of time until something like it happened. "Also the exploit works still with minor fixes," it added.

Snapchat could not be immediately reached for comment.

"People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with," according to the post on SnapchatDB.info.

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John's e-mail address is john_ribeiro@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Gibson SecuritySnapChatsecurity

More about FacebookIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Ribeiro

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place