Earlier this week, it was reported that nearly 5 million Snapchat users had their phone numbers leaked online in a massive data security breach from Snapchat. Many were concerned about the privacy of their numbers, as well as possibly their snaps sent through the service due to the leak. It also wasn’t helpful that Snapchat had stayed silent on the matter until today.
The popular image sharing service released a statement today on its blog, and noted that the data leak is due to an ‘abuse’ of the Find Friends service of the app. Fortunately for users, the company has promised that it will update its app, as well as the services, to ensure that data leaks like this are much less likely in the future. However, as noted by TechCrunch, last month the company had a blog post in which it stated how a hacker could link up user names to phone numbers. This post was used essentially as a step-by-step guide as to how the data was released just this week. This makes me wonder just how dedicated to security Snapchat really is, since it is making simple mistakes like telling people how to access data.
While the company did promise to update security, it still did not accept the blame for the leak, and instead passed the blame on to a violation of its Terms and Conditions. Although this is likely true, it is still the company’s responsibility to keep this data secure, and it has failed to do so. Check out the blog post either on Snapchat’s website, or pasted below.
Do you still trust Snapchat, or has the lack of responsibility from the company forced you to reconsider? Tweet me at @TiP_Griffin and let me know.
Find Friends Abuse
When we first built Snapchat, we had a difficult time finding other friends that were using the service. We wanted a way to find friends in our address book that were also using Snapchat – so we created Find Friends. Find Friends is an optional service that asks Snapchatters to enter their phone number so that their friends can find their username. This means that if you enter your phone number into Find Friends, someone who has your phone number in his or her address book can find your username.
We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.
We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.
We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: firstname.lastname@example.org.
The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse.