The user names and phone numbers of more than 4.6 million Snapchat users were posted online this week by an anonymous hacker, just days after the Los Angeles start-up was warned that such a data compromise could happen.
On a website called SnapchatDB, which may be run by an individual or a group, files containing Snapchat users' information was posted Wednesday. The website has since been taken down, but while it was live users could download the data in SQL or CSV format.
The data contained the user names and associated phone numbers of many users, all located within North America but primarily in the U.S. The final two digits of each phone number were also censored in order to offer the affected users some protection.
The hacker or hackers said the data was published to prompt Snapchat to fix a security hole that it was aware of and had been warned could be exploited.
"Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed," SnapchatDB told the Verge. "Security matters as much as user experience does."
Snapchat was warned by a group called Gibson Security on Christmas Eve that its app contained a security flaw that could expose its users in the exact way that SnapchatDB managed to do. Days after the warning, Snapchat acknowledged the vulnerability in a blog, but downplayed the seriousness of the security hole.
"Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match user names to phone numbers that way," Snapchat said on the blog, which was posted on Friday. "Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse."
Snapchat has yet to comment on the Wednesday's SnapchatDB incident.
Users can check if their information has been exposed by going to Snapcheck or Gibson Security Lookup. Unfortunately, affected users can't do much about the situation since their data is already out there, but they may want to change their passwords and keep an eye on their accounts for any unusual activity.