As many social networks are now becoming something like an archive of your life. You can scroll down, and down, and down, all the way back to the day you created your account. Snapchat’s main feature is that it does the exact opposite of this, your photo messages to others stay for only a set amount of time, with a maximum of 10 seconds. What about your information though? You may not remember when you signed up, but you were asked for your phone number. The purpose of this is so that your account can be linked to your mobile device, making it easier for others to find you. But this information doesn’t disappear after 10 seconds, it stays around forever. And this, of course, means that it can be hacked.
And in Snapchat’s case that it will be hacked. On December 31, 2013, the hackers released 4.6 million usernames in a downloadable file on their website. In the statement from the hackers they said
Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.
We used a modified version of gibsonsec’s exploit/method. Snapchat
could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.
We wanted to minimize spam and abuse that may arise from this release. Our main goal is to raise public awareness on how reckless many internet companies are with user information. It is a secondary goal for them, and that should not be the case. You wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.
Following their statement, the last two digits from every phone number have been hidden in the lists, so you don’t have to worry about the use of this for spam, however, it shows what else Snapchat might be hiding away in their servers. It’s possible that they have archived every single photo you have sent and are keeping it on a server just as insecure as the one your user data is on.
So maybe it is good that Snapchat got hacked, because it is without a doubt that they will hear about this and need to take some action. Hopefully, that action will be to lock down their servers and invest in some penetration testing to make sure that your stuff is guarded.