A group of unnamed individuals claimed on Wednesday that they took advantage of a vulnerability in the Snapchat application programming interface (API) that allowed them to steal a database of 4.6 million usernames and phone numbers, which they then posted to a website, SnapchatDB.info, that has since been suspended.
“This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue,” according to a message on the now-suspended website, which was accessible through Internet Archive's Wayback Machine.
The hackers released the information – they censored the last two digits of each phone number – because officials with the popular photo messaging app were too slow in fixing the vulnerability, according to the message on the website. The group added that they would possibly release an uncensored version of the database if requested.
“[Snapchat] was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it,” the group wrote on the website.
A Snapchat representative did not respond to an SCMagazine.com request for comment. However, Roel Schouwenberg, principal security researcher with Kaspersky Lab, told SCMagazine.com in a Thursday email that the Snapchat API played a role in the attack.
“The attackers in the Snapchat incident made full use of the Snapchat API and as such were able to retrieve usernames by guessing phone numbers,” Schouwenberg said. “Given the ease of the attack and the amount of time that it's been known for, about half a year, it's a pretty safe bet to assume at least all of the U.S. phone numbers have been tried and mapped.”
Researchers with Australia-based Gibson Security, or GibsonSec, documented Snapchat's API in August and released an advisory at the end of December 2013 that highlights numerous security vulnerabilities – one in particular that could allow an individual to build a database of usernames and phone numbers.
Schouwenberg also offered his thoughts on how the database could be misused.
“If the attacker is able to craft a profile of the target, they could then use the collected phone number to pretend they're the bank,” Schouwenberg said. “Alternatively, the phone number could be used in a phishing message to give the phishing message extra credibility.”
