Snapchat's Invisible 'Apology' for Hack that Hit 4.6 Million Users

Snapchat's Invisible 'Apology' for Hack that Hit 4.6 Million UsersSnapchat said it is releasing an updated version of its app that will allow users to opt out of appearing in the Find Friends feature after they have verified their phone number.
The Find Friends feature was the target of hackers who were able to publicly leak about 4.6 million Snapchat usernames and phone numbers. The usernames and phone numbers were temporarily posted online.
The hack came days after an Australian firm, Gibson Security, warned of vulnerabilities in Snapchat’s app which it said could be exploited by hackers.
Gibson Security said it was not involved in the hack. The hackers behind the website that published the data said they had exploited the security flaw highlighted by Gibson Security.
Snapchat has soared in popularity because it allows people to share pictures, with the knowledge that they delete themselves after being viewed. This is also the reason for the app’s popularity amongst those cheating on their spouse or partner. Those wanting to keep tabs on someone’s Snapchat use may want to use software like this here.
In its statement, Snapchat didn’t apologize for allowing its vulnerability to persist, despite the warning.
“We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns,” Snapchat said in its statement. “The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com.”
Snapchat even admitted that it had a vulnerability — before releasing an updated version of its app.
“We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames,” Snapchat said. “On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.”
Here’s the full statement from Snapchat:

When we first built Snapchat, we had a difficult time finding other friends that were using the service. We wanted a way to find friends in our address book that were also using Snapchat – so we created Find Friends. Find Friends is an optional service that asks Snapchatters to enter their phone number so that their friends can find their username. This means that if you enter your phone number into Find Friends, someone who has your phone number in his or her address book can find your username.
A security group first published a report about potential Find Friends abuse in August 2013. Shortly thereafter, we implemented practices like rate limiting aimed at addressing these concerns. On Christmas Eve, that same group publicly documented our API, making it easier for individuals to abuse our service and violate our Terms of Use.
We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.
We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.
We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com.
The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse.

Leave a Reply

Your email address will not be published. Required fields are marked *