Snapchat has finally responded to the fact that they have been hacked and 4.6 million usernames and phone numbers have been stolen, and they aren’t apologizing for not fixing the security hole despite knowing about it prior to the hack.
They acknowledge that the hack was done by using the weakness that Gibson Security had told them about previously. “A security group first published a report about potential Find Friends abuse in August 2013. Shortly thereafter, we implemented practices like rate limiting aimed at addressing these concerns. On Christmas Eve, that same group publicly documented our API, making it easier for individuals to abuse our service and violate our Terms of Use.”
They went on to add that “we acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.”
Gibson Security had released information on the security weakness in Snapchat on December 25th, after previous attempts to inform the company were apparently ignored. They felt they needed to take more drastic steps to insure that Snapchat fixed the problem. “They probably dismissed the bug as theoretical in our case, which was, very, very, frustrating,” a Gibson Security said to VentureBeat. “Having any security vulnerabilities in a system is a bad thing. It doesn’t really matter how severe they are.”
It is possible that the hackers are on a similar page, and only did so to further point out Snapchat’s weakness. “Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” said the hackers to The Verge. “Security matters as much as user experience does.”
Still, although the hackers have blurred out the last two digits of the phone numbers released, they have stated they would be willing to release some numbers if they were contacted, implying that they could potentially be paid off for some of the information.
[via Venture Beat, The Verge]