Snapchat confirmed the leakage of data of its users, but did not apologize

Snapchat called the recent leak of usernames and phone numbers of 4.6 million of its users "abuse" of the API service. At the same time, the company actually recognized that its method of storing information made it possible to use the base of numbers to determine user names and compare them with numbers, writes TechCrunch.

As stated by Snapchat, additional changes will be made to the applications and the service itself in order to prevent future leaks. It will also add the ability to opt out of the friend search function, which uses phone numbers.

The company says it was notified of a possible security threat in August and took some steps to fix it — among other things, by limiting the speed with which the service API can be requested. At the end of last month, in response to statements that there was still a hole in the service allowing to get a user base with phone numbers, Snapchat wrote in his blog that theoretically it is possible:
')

Theoretically, if someone is able to download a huge set of phone numbers, for example, every number within a city code or every number in the United States, he could create a database and relate user names and their phone numbers.

It sounded like an unlikely scenario, but this is exactly what the team of the SnapchatDB.info site did, resulting in data from 4.6 million Snapchat users. They called their goal to attract public attention and pressure on Snapchat to completely close the vulnerability: "It is clear that technical startups have few resources, but security and privacy should not be a secondary goal."

Now Snapchat intends to add a function that will allow users not to be found through the search function of friends by their phone number. The company also promises to further limit the speed for API requests and add "other restrictions" for future attempts to abuse the service.

Many have noticed that the Snapchat response does not contain any apologies to users whose data has been published. TechCrunch writes that perhaps this is an attempt to avoid confession of guilt, but it looks like an unsuccessful attempt.