Millions of Americans may be waking up with more problems than a hangover this New Year's Day. On Wednesday, a hacker website claimed that it had a list of the user names and phone numbers for 4.6 million people on Snapchat.
The company behind Snapchat, a 2-year-old app that offers privacy in sending pictures between phones, was warned about the potential for hacking months ago. In August, the Internet security group Gibson Security, or GibsonSec, wrote that it found a vulnerability in Snapchat's friend-finder feature that would allow a hacker to discover the phone numbers behind user names in the app. When a Snapchat user signs up, he can privately register a phone number so friends who have the user in their phones' address books can find him in the app. GibsonSec reported that if a hacker uploaded a large list of numbers to a phone, the hacker could then find the phone number behind a Snapchat name.
Four months later, Snapchat dismissed the potential security problem in response to another statement on the GibsonSec website, this one published Christmas Eve. The security company had said the issue hadn't been resolved.
"Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way," the company wrote in a blog post shortly after Christmas. Without going into further detail, it added: "We recently added additional counter-measures and continue to make improvements to combat spam and abuse."
It didn't work.
On Wednesday, a website called SnapchatDB.info (currently down) claimed it was offering files with 4.6 million pairs of Snapchat names and phone numbers for anyone to download. The last two digits of each number and the last half of each user name were blurred out, but the unknown hackers behind the site stated that they would offer the entire database to interested parties "[u]nder certain circumstances."
Snapchat has not responded to a request from HuffPost for comment on SnapchatDB.
"This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue," the anonymous hackers wrote on SnapchatDB. "The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it."