The Washington Post

A Snapchat security breach affects 4.6 million users. Did Snapchat drag its feet on a fix?

Snapchat founder Evan Spiegel (TechCrunch)

Snapchat users are waking up to troubling news: Thanks to a gap in the service's security, the phone numbers and usernames for as many as 4.6 million accounts have been downloaded by a Web site calling itself

The hack appears to be real, affecting at least one member of the TechCrunch editorial team and possibly Snapchat founder Evan Spiegel himself.

To see whether your account is among the compromised, you can use this basic Web site, whipped up by a couple of developers named Robbie Trencheny and Will Smidlein, that simply checks the list for your details.

SnapchatDB reportedly gained access to the Snapchat data through a vulnerability disclosed by a group of security researchers last week. In a report posted on Christmas Day, Australia-based Gibson Security explained how the app's Android and iOS API could be hacked to expose user information.

Two days later, Snapchat wrote a blog post saying it was no big deal -- that it had put in place some obstacles to "make it more difficult to do."

"We are grateful for the assistance of professionals who practice responsible disclosure," Snapchat said, "and we’ve generally worked well with those who have contacted us."

Yet SnapchatDB's exploit suggests that whatever safeguards the company put in place weren't enough.

"Even now the exploit persists," SnapchatDB said in a statement. "It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent."

The people behind SnapchatDB also accused Snapchat of being sluggish to respond to the Gibson Security team from the outset, charging that the company failed to reply to the Australian researchers privately until after they posted the existence of the vulnerabilities on the Web.

SnapchatDB isn't entirely blameless in this incident, either, however. By releasing the database into the open, they've exposed the personal information of Snapchat's users. The goal may have been to get Snapchat's attention -- if they weren't listening before, they must be now -- but consumers are stuck in the middle with nowhere to go.

Snapchat hasn't replied to a request for comment Wednesday morning (we'll update this post if they do). But its Dec. 27 blog post didn't say that the exploit had been conclusively resolved -- just that it had thrown some obstacles in the path of would-be hackers. If the accusations about Snapchat's response time prove true, it implies a pretty cavalier attitude on its part toward security -- not to mention the privacy its vanishing photos are meant to provide in the first place.

Brian Fung covers technology for The Washington Post, focusing on telecommunications and the Internet. Before joining the Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Videos curated for you.
Play Videos
Be a man and cry
Deaf banjo player teaches thousands
Sleep advice you won't find in baby books
Play Videos
Drawing as an act of defiance
A flood of refugees from Syria but only a trickle to America
Chicago's tacos, four ways
Play Videos
What you need to know about filming the police
What you need to know about trans fats
Syrian refugee: 'I’m committed to the power of music'
Play Videos
Riding the X2 with D.C.'s most famous rapper
Full disclosure: 3 bedrooms, 2 baths, 1 ghoul
Europe's migrant crisis, explained
Next Story
Andrea Peterson · December 31, 2013

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.