Snapchat Finally Responds to User-Data Breach

“Wait, *who* has my phone number?”

Two days after hackers stole 4.6 million usernames and phone numbers from messaging service Snapchat, the company has responded with an official message and a planned software fix. (Snapchat vaporizes messages after a preset amount of time, making it a favorite of privacy-minded teenagers and paranoid folks alike.)

In a Jan. 2 posting on its official blog, Snapchat explained how the attackers managed to obtain the massive cache of user data—and partially blamed security researchers for the hack, which exploits a weakness in the software’s Find Friends feature.

“A security group first published a report about potential Find Friends abuse in August 2013,” the posting stated. “Shortly thereafter, we implemented practices like rate limiting aimed at addressing these concerns. On Christmas Eve, that same group publicly documented our API, making it easier for individuals to abuse our service and violate our Terms of Use.”

On New Year’s Eve, the attackers released their database for downloading, helpfully redacting the last two digits of every phone number (while claiming they’d be willing to release that withheld information under specific circumstances). Snapchat claims that no other data, including messages, “was leaked or accessed in these attacks.”

Now the company has no choice but to tweak its software in order to close the offending loophole. “We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number,” the posting continued. “We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.”

At no point did the company’s blog posting offer an explicit apology for user data leaking into the open, although it did repost an email (security@snapchat.com) for security experts to use when reporting loopholes and exploits.

Irony alert: before news of the hack leaked, Snapchat had downplayed the idea of such a breach. “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way,” read the company’s Dec. 27 blog posting. “Over the past year we’ve implemented various safeguards to make it more difficult to do.”

Now the company’s in full damage-control mode. In the meantime, for the paranoid (or those who simply want to try out other messaging services), alternatives to Snapchat are available for Apple iOS and Android.

 

Image: Kostenko Maxim/Shutterstock.com