Users of the rapidly growing photo sharing social app called Snapchat got some potentially bad news â" and now the company has responded.
Itâs estimated the names and phone numbers of about 4.6 million Snapchat members were published online by anonymous hackers at a site thatâs since been taken down (although some information is still available via leaked databases).
If you are a Snapchat user and arenât sure whether youâve been affected, visit this site first. It was set up by a security group very close to the Snapchat problem. Â Only users within certain area codes in the United States were affected by the breach, according to the site.
You may remember Snapchat as the social startup that recently turned down a cool $3 billion from Facebook, which wanted to acquire the company. Â Â You may also remember that Snapchat specializes in a type of photo sharing in which temporary photos and brief messages are shared on the network for up to 10 seconds and then deleted. (The site actually notifies the sender if another user has made a copy of the message.)Â Also important is that messages are shared only with the connections you specifically designate - not to the entire world.
So with such an emphasis on allowing users to control with whom they are sharing messages, you would think that user privacy should have been a top priority.
However, it turns out that Snapchat was apparently warned twice about a vulnerability in its system and did not do enough to address the vulnerabilities.
In fact, Snapchat was reportedly contacted as early as August by an Australia-based company called Gibson Security, The Daily Caller reports. Gibson set up the site mentioned above for members to determine whether or not their accounts have been breached.
Then, last week Snapchat acknowledged the security group had posted a private communication detailing a specific method hackers could use to obtain private user information, but downplayed the problem. Â On its official blog, Snapchat explained:
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year weâve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.
Yet, hackers apparently used a variation of the exact tactic spelled out by Gibson to successfully obtain user information from the site.  Hackers who claimed responsibility for yesterdayâs breach insisted they were trying to expose Snapchatâs security issues for everyoneâs good.  They told the Verge:
âOur motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. Security matters as much as user experience does.â
Snapchat today responded by emphasizing that the information released was limited to redacted phone numbers and usernames, not âsnapsâ (i.e., pictures shared). Â It also said that the vulnerability is related to the optional âFind Friendsâ feature and noted:
âWe will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. Weâre also improving rate limiting and other restrictions to address future attempts to abuse our service.â
Image via SnapChat