The Inquirer-Home

Snapchat hackers post four million usernames

Leakers cauldron shut off
Thu Jan 02 2014, 10:36

HACKERS HAVE POSTED account details belonging to more than four million Snapchat users.

The information was posted to a website called SnapchatDB that went live on New Years Eve but has since been suspended.

According to Techcrunch, which got a look at the website before it went dark, it included files containing contact details.

The attack made the most of some reasonably well known issues with Snapchat, and a post made a few days ago by Gibson Security said that some flaws have been in existence for at least four months.

"Given that it's been around four months since our last Snapchat release, we figured we'd do a refresher on the latest version, and see which of the released exploits had been fixed (full disclosure: none of them). Seeing that nothing had been really been improved upon (although, stories are using AES/CBC rather than AES/ECB, which is a start), we decided that it was in everyone's best interests for us to post a full disclosure of everything we've found in our past months of hacking," it said in a Gibsec security disclosure.

"In the time since our previous release, there have been numerous public Snapchat api clients created on Github. Thankfully, Snapchat are too busy declining ridiculously high offers from Facebook and Google, and lying to investors (hint: they have no way to tell the genders of their users, see /bq/register for a lack of gender specification) to send unlawful code takedown requests to all the developers involved."

The hacker group told Techcrunch that this was the exploit route that it followed, and added that it acted to highlight Snapchat's security issues.

"Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed," it said.

"It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does. We used a modified version of gibsonsec's exploit/method. Snapchat could have easily avoided that disclosure by replying to Gibsonsec's private communications, yet they didn't."

Snapchat has not commented on reports of the security breach, but it did respond to Gibson's report saying that it didn't really represent evidence of a threat. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?