Photo-sharing service Snapchat has become the latest victim of hacking, with over 4.6 million usernames and partial phone numbers exposed to the internet.
What the heck happened?
What a nice way to ring in the New Year! 2014 has arrived, and with that ball drop came another dropped ball; a massive data theft from popular mobile photo-sharing service Snapchat. It seems that around Jan. 1, a group of anonymous hackers stole and posted online a large sampling of the service’s US and Canadian user info. Snapchat members’ usernames, general location and most of their telephone number (last two digits obscured with XX) were bundled into a Zip file and posted to the website snapchatdb.info. This data was available for download as late as January 4.
On that same website, the group posted a link to an email account that could be used to get in contact with them as well as a prepared statement designed to cast the perpetrators in a more positive light, stating that they only hacked the service to “raise awareness on the issue.” This explanation defies reason as their message further states that the phone numbers are only obscured “for now” and if one was to contact them at the provided email address, they would release the uncensored version “under certain circumstances.”
This hack is particularly embarrassing for Snapchat as they only recently dismissed concerns over the security of their service, noting that users weren’t required to store a phone number with their account if they didn’t wish to and claiming to have “implemented various safeguards” against exploits to make them more difficult. This was in response to a posting by Gibson Security in their writeup on the Snapchat API in which Gibson said that a hacker could check up to 10,000 phone numbers in just seven minutes for matching with usernames. Snapchat suggested in their blog post that there was nothing they could do to stop a determined person from using a database of known phone numbers that could then be cross-referenced with Snapchat users to glean their account names. There is no word yet on whether this type of breach was the actual exploit used by the hackers responsible for the recent data heist.
My info was probably in the hacked Snapchat data! What do I do?
- As a matter of good privacy, every Snapchat user should delete their account and create a new one (a unique one not linked to other social media or email accounts). This will break the data link between username and partial phone number going forward.
- Opt-Out of the Find Friends feature. Opting out will break the ability to find your username based on your phone number. Of course this means that in the future you will have to tell your friends what your username is in order for them to connect with you. Snapchat has promised to update their App with this ability as soon as possible.
- Delete your phone number from the service. Why let them store it if they can’t secure it?
What is the risk to me?
A third-party, with knowledge of your Snapchat username, could use that info to get your partial phone number from the database, create a list of the 99 possible phone numbers that could belong to you, upload that to an address book, then search the Snapchat service for a match, thereby obtaining your phone number. Hacked phone numbers could be used to SPAM or harass individuals on their cell phones.
A third-party, with knowledge of your phone number could use it to match to a list of possible Snapchat usernames, giving that person a username that may be used on other services across the internet, such as Gmail, Facebook or Twitter. This could facilitate online stalking or increases in SPAM email.
Comfort level and minor concerns:
This particular hacking incident is either minor or major depending on your own personal comfort level with regards to privacy. Some people post their phone numbers, emails, everything online with nary a care for security. Other people perform weekly Google searches to ensure no stray data has leaked onto the internet. Regardless of your level of comfort, we all need to be aware of the danger this breach poses for underage children who use the service. Talk to your minor child about this data leak and about good security habits in general, and make sure you follow suggestions 1, 2 and 3 above to protect them on Snapchat going forward.
IMPORTANT: Do not be lulled into a false sense of security. Maybe you used a tool linked to in another news story and you searched for your username only to be told “You’re Safe. Don’t worry, your data wasn’t leaked.” How do they know that? They don’t; they’re merely guessing based on what data the hackers released so far…a dangerous assumption if you ask me. Worse yet, what if the tool writers are storing usernames or phone numbers which you submit to them?
Don’t be a dummy. I advise EVERYONE with a Snapchat account to change usernames, Opt-Out and delete their phone number from SnapChat’s servers.