Snapchat has released a statement in response to news this week that about 4.6 million usernames and phone numbers have been leaked.
Snapchat says a security group found a way to use the app’s “Find Friends” feature to access the company’s database of usernames and phone numbers. This is the feature Snapchat users can use to find other people on the service. You give Snapchat your cell phone number so your friends can match it against the numbers in their address books.
After the security group found the hole, it also posted the programming language to the public. Then, a hacker was able to use that programming language and run it against a database of phone numbers.
The result? The hacker was able to publicly leak about 4.6 million Snapchat usernames and phone numbers.
Snapchat’s statement notably does not include an apology for the leak or even a statement saying it takes user privacy seriously. Instead, the company says it will release a new version of the app that will allow you to disable the Find Friends feature. It will also limit the “rate” at which people can use Find Friends, which should help reduce the chances of more numbers and usernames being leaked.
Still, the statement doesn’t say Snapchat has a complete fix for the method hackers used to leak the private user information.
Here’s the full statement:
When we first built Snapchat, we had a difficult time finding other friends that were using the service. We wanted a way to find friends in our address book that were also using Snapchat — so we created Find Friends. Find Friends is an optional service that asks Snapchatters to enter their phone number so that their friends can find their username. This means that if you enter your phone number into Find Friends, someone who has your phone number in his or her address book can find your username.
We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.
We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.
We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: [email protected]
The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse.