X

Overexposed: Snapchat user info from 4.6M accounts

The incident comes just days after Snapchat acknowledged a potential flaw that would allow exposure of usernames and phone numbers.

Jon Skillings Editorial director
Jon Skillings is an editorial director at CNET, where he's worked since 2000. A born browser of dictionaries, he honed his language skills as a US Army linguist (Polish and German) before diving into editing for tech publications -- including at PC Week and the IDG News Service -- back when the web was just getting under way, and even a little before. For CNET, he's written on topics from GPS, AI and 5G to James Bond, aircraft, astronauts, brass instruments and music streaming services.
Expertise AI, tech, language, grammar, writing, editing Credentials
  • 30 years experience at tech and consumer publications, print and online. Five years in the US Army as a translator (German and Polish).
Jon Skillings
2 min read
Security

Heads up, Snapchat users: someone has allegedly compromised 4.6 million accounts, potentially exposing your usernames and phone numbers.

The Snapchat account information apparently had been posted to a site called SnapchatDB.info by an individual or group determined to prod the 2-year-old photo-sharing service, which has more than 8 million adult users in the US alone, into shoring up its security. Sometime after the hack was first revealed overnight, the SnapchatDB site went offline, perhaps because of all the attention it attracted: "This account has been suspended," reads the brief note at the Web site. "Either the domain has been overused, or the reseller ran out of resources."

The phone numbers that were revealed were not quite complete. SnapchatDB reportedly blocked out the last two digits in a small, but likely incomplete, gesture toward preserving users' privacy.

The incident, which affects users primarily in the US, comes just a few days after Snapchat acknowledged a potential vulnerability that would allow "a possible attack by which one could compile a database of Snapchat usernames and phone numbers." At that time, Snapchat even described how such an attack might be constructed -- a description suggestive of the framework that may have been used by SnapchatDB -- even as it said it has taken preventive measures:

Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we've implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.

Whoever is behind SnapchatDB told the Verge that Snapchat had not, in fact, taken sufficient action to protect users' data: "Once we started scraping on a large scale, they decided to implement minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale."

Snapchat's blog post and SnapchatDB's actions stemmed from a Christmas Eve post by Gibson Security detailing Snapchat code that would allow access to Snapchat user information.

CNET has contacted Snapchat for comment and will update this story when we hear back.