Snapchat hack affects 4.6 million users
Gibson Security said it had warned Snapchat about vulnerabilities in its app
The usernames and phone numbers for 4.6 million Snapchat accounts have been downloaded by hackers, who temporarily posted the data online.
A website called SnapchatDB released the data but censored the last two digits of the phone numbers.
It has since been taken offline but a cached version is still available.
The hack comes days after an Australian firm, Gibson Security, warned of vulnerabilities in Snapchat's app which it said could be exploited by hackers.
Gibson Security said it was not involved in the hack: "We know nothing about SnapchatDB, but it was a matter of time till something like that happened," the firm tweeted.
The hackers behind the website that published the data said they had exploited the security flaw highlighted by Gibson Security.
"We used a modified version of gibsonsec's exploit/method," they were quoted as saying by tech blog, Tech Crunch.
Stronger safeguards?Snapchat has grown in popularity as an app that allows people to share pictures, safe in the knowledge they delete themselves after being viewed.
Snapchat explained in 60 seconds
It has a feature called Find Friends, which allows users to upload their address book contacts to help find friends who are also using the service.
In its report published on 25 December, Gibson Security warned that a vulnerability on the Snapchat app could be used to reveal the phone numbers of users.
The firm said it had first warned Snapchat about this four months ago, adding that "nothing had been really been improved upon".
VulnerabilityGibson claimed that it had been able to crunch through ten thousand phone numbers of Snapchat users "in approximately 7 minutes on a gigabit line on a virtual server".
In response to the Gibson report, Snapchat acknowledged a potential vulnerability but said it had taken measures to protect user data.
“Start Quote
End Quote SnapchatDBTheir latest changes are still not too hard to circumvent”
"Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the US, they could create a database of the results and match usernames to phone numbers that way," it said in a blogpost last week.
"Over the past year we've implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse."
However, the hackers behind the SnapchatDB, the site that published the phone numbers, said the measures were not strong enough.
"Even now the exploit persists. It is still possible to scrape this data on a large scale," they claimed.
"Their latest changes are still not too hard to circumvent."


Minecraft city built in two years
Search ends for Nepal survivors
Chef at his peak
Starved, worked, beaten
Glowing in the dark
Pop Up
The Travel Show
Comment number 64.
Samuel Peter2nd January 2014 - 16:26
The issue of user data held by any organisation depends on integrity, confidentiality and availability if the security of such data must be protected but, once they are exposed to vulnerabilities and exploits the triangulation is shortened or breached. ''Hackers say they have exposed a security flaw. What happen next, now that 4.6 million of users data have been exposed and published online?
Link to this (Comment number 64)
Comment number 51.
Realist Reviewer2nd January 2014 - 14:26
There is no such thing as temporarily uploaded to the internet, the thing about the internet is once information is leaked, the genie is out of the bottle, the information has been copied and spread around dozens of websites by now, shutting down one website does not make it go away, nothing is temporary on the internet lovely I'm afraid.
Link to this (Comment number 51)
Comment number 45.
Indigo flamingo2nd January 2014 - 13:49
These sites don't have the knowhow or resources to stop hacking and it was only a matter of time before this happened and it will happen again and again..
Link to this (Comment number 45)
Comment number 43.
born cynic2nd January 2014 - 13:28
With every new day comes another new cyber hack with personal details stolen and listed or sold, etc for some other neferious activity. Yet millions of people every other day will sign up to another (un)secure site and provide their details. I can understand details given to a store or bank, but a photo share site of social network? But it will be forgotten a day later and the cycle continues.
Link to this (Comment number 43)
Comment number 40.
J Cookson2nd January 2014 - 13:15
This highlights the dangers of using the same Usernames/Password for multiple online accounts. The Database of compromised personal information had been made available online but later removed. However there are sites springing up where SnapChat users can check if their details were compromised. Maybe this isn't a good idea either as you could give away information to the wrong people..
Link to this (Comment number 40)
Comments 5 of 7