Snapchat released a public blog post on January 2, acknowledging the 4.6 million usernames and phone numbers that were posted online in a data breach. So far, Snapchat has refused to apologize for the data breach, stating that no “snaps” had been leaked. Only information that is available to users through the Find Friends app was taken and posted online.
Rather than take any blame for the fault, the mobile messaging company has pushed the blame onto the users. The blog post informs users that it was due to someone abusing the API, and breaking the terms of service. Yet, there are updates to the Find Friends feature coming, so has acknowledged that there is room for improvement.
The data breach came on New Year’s Eve, just a few days after Snapchat posted on the blog acknowledging that there was a loophole in the system. When someone opts into the Find Friends app and posts their phone number, the number is visible to all users who have access to that phone number in their own address books. A friend will be able to quickly find a username based on that phone number.
The weakness lies in abusing this system. It is possible for users to find the usernames by searching for random phone numbers. This is what happened on New Year’s Eve. A user posted a list of usernames and phone numbers, with the last two characters/digits removed, of 4.6 million users. The post has now been removed, but Snapchat refuse to apologize for this data breach.
The user responsible for posting the information stated it was to alert users of the weaknesses. While Snapchat posted a blog post that said it was theoretically possible, the user proved the case. It is a warning to other users about just how “secure” the information really is.
Snapchat have since announced that it will update the Find Friends app. This is currently an optional service, and will remain that way. The update comes to those who do decide to post their phone number and find their own friends. Users will be able to opt out of their phone number later appearing in the Find Friends searches. Other restrictions are also being added to help limit the leaking of information.
Members of the public may be worried about the lack of information from Snapchat after the data breach. It took two days for the company to publically admit that data had been leaked. While users knew that phone numbers and usernames had been posted online, they feared that other information may have been taken. Users took to Twitter to find out more, but staff simply gave cryptic information about working with law enforcement. On January 2, Snapchat finally confirmed that no other information had been stolen.
Evan Spiegel, the CEO of the company, appeared on Today on NBC to acknowledged the stolen data. While he was “outraged” by the actions, he still refused to issue an apology on behalf of Snapchat for the breach of data. He did acknowledge the mistake of believing enough had been done after finding out about the vulnerability in the system at Christmas.
By Alexandria Ingham