After a leak, which resulted in the data of 4.6 million users ending up online, photo messaging service Snapchat has issued a public response to the incident.
On Thursday, Snapchat published a blog post saying it would release an updated version of its popular app in order to remediate now heavily publicized issues with its Find Friends service, which lets users find other members using a phone number lookup method.
“We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames,” the post said. “On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.”
Ironically enough, Gibson Security – the security group that warned Snapchat of the vulnerability in its application programming interface (API) and disclosed the issue after Snapchat appeared sluggish to respond – has erected a page for users to find out if they were impacted by the leak.
The group that exploited the Snapchat vulnerability to access and post users' data online, has yet to be identified.
The photo messaging service said that the updated app will allow users to “opt out of appearing in Find Friends after they have verified their phone number.” To prevent future abuse of its service, Snapchat is also improving other app restrictions.
Snapchat now directs researchers to disclose security vulnerabilities to the service by emailing firstname.lastname@example.org.