As reported earlier, on New Year's Day a group called SnapchatDB, in a painfully ironic move, hacked and publicly exposed the user names and phone numbers for 4.6 million users of the site that prides itself in its secrecy of its transmitted content (which supposedly disappears once it is deleted everywhere except on the NSA's hard drives to be used in the future as the opportunity presents itself) primarily involving photos of user genitals and market-moving inside information. Explaining its actions, SnapchatDB's statement was as follows:
Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.
We used a modified version of gibsonsec’s exploit/method. Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.
We wanted to minimize spam and abuse that may arise from this release. Our main goal is to raise public awareness on how reckless many internet companies are with user information. It is a secondary goal for them, and that should not be the case. You wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.
TechChrunch summarized the situation concisely:
The Gibson Security report and SnapchatDB are both reminders that even in an ephemeral messaging service, it would be a mistake to be lulled into a sense of security about the information that you do have stored with the app. “People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with,” SnapchatDB stated on the site.
Of course, in this day and age when we revealed the NSA's leaked backdoor hacks, why anyone would assume anything they transmit over the internet - even encrypted - is secure is beyond us.
In the meantime, however, for those concerned if their Snapchat account was among those hacked, here is a simple way to check if your username was among the victims. The advice of the creators of the lookup database: "If your data has been leaked, don't freak out! There are a few things you can do if you've been affected. First and foremost, you can delete your Snapchat account here - sadly, this won't remove your phone number from the already circulating leaked database."