Bad news, Snapchat fans: a group of anonymous hackers have successfully exploited a nasty security hole in the popular IM application to hijack a whopping 4.6 million usernames and phone numbers, publishing this private data on a website called SnapchatDB.info.
The circa 40MB SQL database dump (also available as a CSV file) includes phone numbers and usernames, along with the affected users’ geographical region information.
Why did they do it? The leaked private information “is being shared with the public to raise awareness” of a Snapchat API exploit they’d used for the hack.
Snapchat has been aware of the security loophole in its application since August, but did literally nothing to patch it. Is there a way to see if you’ve been affected? Yes, there is. Read on for the full reveal…
It’s scary to think that anyone could get someone’s phone number off the leaked Snapchat database. At post time, the SnapchatDB.info website was offline with a message saying “This account has been suspended”.
“Either the domain has been overused, or the reseller ran out of resources,” reads the message.
According to Forbes, the website originally informed the general public that the leaked usernames of Snapchat users could be leveraged to obtain their Facebook and Twitter profile names:
You are downloading 4.6 million users’ phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.
As if it’s any consolation, the hackers caution they’ve “censored the last two digits of the phone numbers” in order to “minimize spam and abuse”.
Fortunately, developers Will Smidlein and Robbie Trencheny took it upon themselves to write a checker script letting concerned Snapchat users check out if their account is included in the leaked information.
Just visit the URL that hosts the script and type in your Snapchat username to see if your account has been compromised.
The Verge sat down with the alleged hackers who were quick to note that even now the Snapchat API security hole persists.
Despite the fact that the database dump is no longer available online, there are no guarantees that it won’t resurface or get sold to third-parties. The hackers acknowledged as much: they’re offering the uncensored database to “security researchers from around the world, professors from various universities, private investigators and attorneys,” according to the article.
“Snapchat hasn’t made any efforts to contact with us but seeing how they disregarded [Gibson Security’s] communication attempts, and how they reacted after they noticed the scraping was going on, I don’t think they care enough,” the group behind the leak told The Verge.
In any event, you should immediately update your Snapchat login credentials and change your username. And if you’re using the same username and phone number on Facebook, Twitter and other social media accounts, consider re-registering for Snapchat with another phone number.
By the way, adding a phone number to your Snapchat account is completely optional.
Snapchat is available free in the App Store.