2014 has barely started and we already have our first leak, a Snapchat database containing 4.6 million phone numbers and usernames has leaked on to the Internet and has been made downloadable for all of the world to see.
The site housing the leak, SnapchatDB, currently offers two download formats: One SQL dump and one CSV text file. Right now both files show the location data of all users but to help combat abuse, the last two digits of all phone numbers have been censored, for now at least. The site owner makes it quite clear that they are willing to release an uncensored version:
“For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it. ”
Here's the sites explanation of what you're downloading: “You are downloading 4.6 million users' phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.”
You might be asking yourself, why did this person leak the personal data of 4.6 million people? Well he did it because Snapchat were too slow to respond to the problem. The story starts off with the research group, Gibson Security, which raised concerns after finding a security hole in the app's “find friends with numbers” function. After Snapchat failed to patch the problem or even acknowledge the loop hole, Gibson Security released details of the app's API which allowed others to exploit the app. A few days later, Snapchat responded by downplaying the importance of this loop hole by saying that it had been making it difficult for hackers to upload every number in an area code over the last year but still went on to release a patch anyway.
It's unlikely that the database was leaked by someone from Gibson Security, the research group just showed hackers exactly what they needed to do to make this happen. The one behind the leak wrote on the website that they had done this because “The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
KitGuru Says: While it's true that a company should do everything it can to protect user information, I'm not sure I see the logic in leaking the database after the app was patched, Snapchat is worth an estimated $3 billion and a lot of people are still going to use it, probably without ever knowing that their personal data has been compromised.
Source: SnapchatDB, The Verge