The usernames and phone numbers for 4.6 million Snapchat accounts were temporarily posted online by hackers who took advantage of a previously disclosed vulnerability within the chat service.
SnapchatDB.info went live last night and allowed visitors to download the database of Snapchat user info, though the last two digits of the phone numbers were censored ”in order to minimize spam and abuse.”
The site has since been pulled offline (because the hosting provider was ”intimidated by the overwhelming attention,” SnapchatDB told The Verge), but a cached version is still available.
”You are downloading 4.6 million users’ phone number information, along with their usernames,” those behind SnapchatDB.info wrote. ”People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.”
The move comes after Gibson Security last week revealed several vulnerabilities within the Snapchat app. One of those bugs could allow ”someone to easily create a database of the usernames and phone numbers of users of the Snapchat application, in a small timeframe, using phone numbers automatically provided to the app,” Gibson said.
”This vulnerability could hypothetically be used to stalk members of society, such as public figures or the data could even be sold to various firms, with the intent of using it and other data to connect online profiles to people in real life,” according to the firm.
In a Dec. 27 blog post, Snapchat said that ”theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.”
”Over the past year we’ve implemented various safeguards to make it more difficult to do,” Snapchat continued. ”We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”
Those safeguards were apparently not enough to thwart SnapchatDB. The information posted online ”was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue,” SnapchatDB.info said. ”The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
Though the data posted online was redacted, SnapchatDB said it would provide the uncensored version ”under certain circumstances.”
Snapchat did not immediately respond to a request for comment. The contact email on SnapchatDB.info is no longer in use.
”We know nothing about SnapchatDB, but it was a matter of time til something like that happened. Also the exploit works still with minor fixes,” Gibson Security tweeted last night.
If you want to know if you’re at risk, Gibson posted a lookup tool that allows Snapchat users to type in their username and see if it was leaked online.
A Reddit post, meanwhile, has details about the area codes involved in the data leak. ”There are also 248 US area codes which are not represented in the database,” the post reads. ”Assuming a relatively uniform distribution of phone numbers in the US (which is not at all a safe assumption), the average US snapchat user has better odds of not being in the list than being in it.”
Area codes for at least 21 states do not appear to be in the database: Alaska, Delaware, Hawaii, Kansas, Maryland, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, North Carolina, North Dakota, Oklahoma, Oregon, Rhode Island, Utah, Vermont, West Virginia, and Wyoming.