More than 4.6 million Snapchat users had their names and phone numbers grabbed and posted to a database on New Year’s Eve by an individual or group of hackers, Gigaom reported Dec. 31.
The information was posted as a downloadable database, with the last two numbers of each phone number blurred out.
“The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it,” the database site stated, according to Gigaom, which added that the hackers suggested that they “might be willing to turn over the raw data to the right party.”
News of the hack followed a Dec. 27 blog post by Snapchat, which told users that on Christmas Eve a security group “posted documentation for our private API.”
“This documentation included an allegation regarding a possible attack by which one could compile a database of Snapchat usernames and phone numbers,” said the unsigned post.
“Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way,” the post continued. “Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”
The Snapchat app offers a largely ephemeral way to share a moment, whether silly or tawdry. Shortly after an image—or collection of images; in October the company introduced Snapchat Stories—is opened, it automatically deletes. (The recipient can, however, snap a screenshot.)
Snapchat doesn’t share how many users it has, but it has said that it helps users share 350 million Snaps every day.
Snapchat hasn’t posted a response to the reports on its blog, and the site where the content was stored—hosted by JDR Hosting—has since been suspended.
Snapchat is said to have recently turned down a $3 billion acquisition offer from Facebook.
Inauspicious New Year
As personal security matters go, 2013 was a terrible year, and 2014 isn’t off to a better start.
On Jan. 1, the Syrian Electronic Army (SEA), a hacker group with loose ties to Syrian President Bashar al-Assad, took control of Microsoft’s Skype service blog, as well as its Twitter and Facebook accounts.
On Dec. 29 German news site Der Spiegel offered new revelations into the practices of the U.S. National Security Agency (NSA), which include the formation of the Office of Tailored Access Operations (TAO), a “top operative unit,” wrote Der Spiegel, that’s like a “squad of plumbers that can be called in when normal access to a target is blocked.”
On Dec. 30, security researcher Jacob Appelbaum, a co-author of the Der Spiegel report, told attendees at a Chaos Congress event that the TAO, as part of a program code-named DROPOUTJEEP, can access Android and BlackBerry devices and has a particularly potent key for getting into iPhones. (VentureBeat posted a video; go to minute 44:30 to hear Appelbaum speak about the iPhone.)
Appelbaum posted, during his talk, a top-secret document that states DROPOUTJEEP software can “remotely push/pull files from the devices, SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc.).”
“Here’s a problem. I don’t really believe that Apple didn’t help them,” Appelbaum said during his presentation. “I can’t prove it, yet, but they literally claim that any time they target an iOS device that it will succeed for implantation. Either they have a huge collection of exploits that work against Apple products, meaning that they are hoarding information about critical systems that American companies produce, and sabotaging them, or Apple has sabotaged it themselves.”
Apple soon after released a statement saying that it has “never worked with the NSA to create a backdoor in any of our products, including iPhone.”