4.6 million data messenger users have a data leak

Telephone numbers and usernames more than 4.6 million users of the photo messenger Snapchat were posted in the public domain, The Verge writes . On a specially launched site SnapchatDB (at the time of publication, the site has not opened), two files have been published - SQL-dump and CSV-text - which contain numbers and usernames, as well as the geographical location of users.

The authors of the site hid the last two digits of the numbers in order to “minimize spam and abuse”, but at the same time they say that they can be contacted for a full version of the database, which they can transfer to security researchers or lawyers.

According to the representatives of SnapchatDB, the published information covers the vast majority of users of Snapchat, but estimates of the user base of Snapchat (26 million in the US) give reason to say that this is not entirely true. Those who investigated the published data, also reported that the database is not complete. Reddit users write that judging by the phone codes, all affected users are in North America, and the database contains only 76 of the 322 codes of US cities and two more Canadian.
')
Back in August, the Gibson Security research team discovered a security bug in the “find friends by phone numbers” feature in the Snapchat app. According to the publication Ars Technica, this error could be corrected "with several lines of code." After Snapchat did not respond, Gibson Security on December 24 published the Private API of the application and demonstrated how anyone can check 10,000 phone numbers in just seven minutes.

In response, Snapchat wrote on December 27 on his blog that, in theory, if someone downloaded a huge set of phone numbers - “for example, every number within the city code or every possible number in the US”, then it could correlate user names and phone numbers. However, the company said that during the year it had already "introduced a number of protective measures to make it more difficult."

According to the SnapchatDB team, they used a modified version of the Gibson Security exploit:

Snapchat could easily have avoided this leak by replying to Gibsonsec emails, but they did not. Even after a leak, Snapchat did not take the necessary measures for a long time to ensure the safety of user data. As soon as we started collecting data on a large scale, they decided to introduce minor obstacles, but they were far from enough. Even now, the vulnerability persists and it is still possible to get even more data.