It’s Snapchat’s first big test, and Snapchat is failing: A hacker has stolen and published 4.6 million customer usernames and phone numbers.
Given that Snapchat’s entire reason for being revolves around security — it’s a safe way to send a photo or a message that no one else will see because the message permanently deletes itself after it is viewed — security breaches are Snapchat’s worst nightmare.
So this is the one area where Snapchat needs to communicate directly and in plain English with its users.
And yet the company has so far acted late, and published one slightly misleading statement that has turned out to be wrong.
The vulnerability in Snapchat was revealed to Snapchat back in August by Gibson Sec, a group of white hat (i.e. “good guy”) students interested in hacking and security. Gibson Sec had discovered that it was able to access Snapchat’s API, which is like the front door to the Snapchat platform. Gibson Sec warned Snapchat that it was vulnerable to anyone else who could be bothered to do the same thing, but Gibson Sec says Snapchat ignored their warnings.
In an attempt to force Snapchat into action, Gibson Sec published details of the vulnerability on Christmas Day.
Two days later, on Dec. 27, Snapchat made its first statement on the matter, and basically denied that user names and phone numbers were up for grabs by hackers. It came in a blog post titled, “Finding Friends with Phone Numbers.” That title, of course, is incredibly misleading. Something like “Warning to users about security breach” would have been more useful.
In the rest of the post, Snapchat describes how it believes that your phone numbers are not vulnerable to hackers:
We don’t display the phone numbers to other users and we don’t support the ability to look up phone numbers based on someone’s username.
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.
As if to prove Snapchat wrong, four days later, on Jan. 31, hackers published 4.6 million user names and phone numbers publicly. You can use this site to see if your name is on the hacked list.
And still Snapchat hasn’t given its users any advice on what to do if they believe their info is vulnerable. Nor has it reassured users about whether they are in any danger. So far, it looks as if there is little danger from hackers knowing your phone number but … who knows?
If you dig around in Snapchat’s support site, you do get this advice:
For security reasons, it is currently not possible to change the username for an existing account. If you wish, you may delete your account and create a new one.
And that is pretty much it: If you want to make your Snapchat secure, delete Snapchat.
Snapchat is a very young company, a startup. So we must expect it to make mistakes. And it is not Snapchat’s fault that it has been hacked — that is the fault of the hackers.
But CEO Evan Spiegel needs to learn that there is more to running a startup than just coming up with cool new features for your app and putting the phone down on Mark Zuckerberg: Security is the heart of the Snapchat offering.
Lose that, and the whole business is toast.