Feeds

back to article Snapchat: In 'theory' you could hack... Oh CRAP is that 4.6 MILLION users' details?

Hackers claim to have lifted millions of Snapchat usernames and phone numbers, apparently taking advantage of a vulnerability that the messaging service last week dismissed as mostly theoretical. A partially redacted database of 4.6 million usernames and phone numbers (minus two digits) - purportedly of Snapchat users - have …

COMMENTS

This topic is closed for new posts.
Silver badge

That turned down $3bn ...

... is fading into the distance.

17
0
g e
Silver badge

Re: That turned down $3bn ...

Yep. Worth about 45p now.

In fact I'll offer them 30p cash right now. Take it or leave it, one time offer.

8
0
Facepalm

Idiots, that is all.

For reference, an excellent new (and free) service that was launched recently to help people determine if their details have been included in this and other big data breaches:

https://haveibeenpwned.com/

Enter your email or snapchat username to see if you have been a victim of this and other data breaches (Adobe, Yahoo!, Sony, etc)

0
14
Silver badge
WTF?

"Enter your email or snapchat username to see if you have been a victim of this and other data breaches (Adobe, Yahoo!, Sony, etc)"

Yeah right......enter valid details on an unknown website, that sounds like a clever plan!

Domain Name: HAVEIBEENPWNED.COM

Registrar: GODADDY.COM, LLC

Whois Server: whois.godaddy.com

Referral URL: http://registrar.godaddy.com

Name Server: NS35.DOMAINCONTROL.COM

Name Server: NS36.DOMAINCONTROL.COM

Status: clientDeleteProhibited

Status: clientRenewProhibited

Status: clientTransferProhibited

Status: clientUpdateProhibited

Updated Date: 13-nov-2013

Creation Date: 13-nov-2013

Expiration Date: 13-nov-2014

27
2

Run by Troy Hunt who is a security researcher

1
1

Don't check with your e-mail address

If you're affected by the snapchat episode, don't enter you e-mail.

AFAIK (could be wrong) but reading the exploit in code and looking at their API the most detail it leaks is phone numbers, display name, username and whether the account is public/private, e-mails isn't part of it.

If you do enter your e-mail you will be leaking your own info. Who such checking sites are run by is irrelvant.

2
0
Anonymous Coward

Interesting...

None of my Sony accounts were there, but Adobe and Gawker were.

It's as if the Sony, Adobe and Gawker hacks are disproportional to the amount of media coverage they got....

1
0
Anonymous Coward

Do you have to enter your password and credit card number too?

11
0
Anonymous Coward

Which makes the site even more dubious.

Giving your details to someone who likes to hack things for a living, what could possibly go wrong?

6
0
Silver badge

Well, my adobe@ username has obviously been "pwned". None of the others have, allegedly. At least according to that site.

However according to an utterly massive data dump I (and many others) got from the Reg a while ago, my email address for this place is comprehensively pwned. Coff. Lucky I have at least semi-sensible passwords, eh?

As for being all super scared about entering your details into that web site, it's been around for quite the long while now. It's being run by someone who presumably wants you to use it. Doing nefarious things with the stuff you type into the search box is not going to be conducive to that. Besides, exactly what is the owner going to do with your username, when s/he apparently already has raw data from umpteen leaks to choose from?

0
0

Only 'unknown' if you don't know your InfoSec Pros. Troy has done good work for several years, and is well known and well respected in the industry.

(I especially recommend you check out his work with cold-call scammers, rather entertaining.)

1
0
Silver badge
Facepalm

haveibeenpwned...?

You have now!

3
0
Anonymous Coward

Amazing, I'm on the list and I don't even use or have signed up to snapchat?

0
0

What's with all the downvotes?

The site is run by Troy Hunt who is a very well respected security researcher whose reputation is far too valuable for him to do anything screwy with the data people enter. Maybe I should of stated that in my original post.

He doesn't store the details you enter and even if he did, I'd trust him with my data over a lot of other companies, at least he understands the need for security and how to implement it.

I was just trying to offer some help so people can discover if their accounts have been compromised, think I won't bother next time!

2
0
142

Re: What's with all the downvotes?

I agree. It showed my spam-box email address, which I don't care about, was leaked by Adobe, together with the password I used on the site. There was zero reason to require an email address or account for what I had needed anyway, Adobe just insisted, like Codemasters before them, with the same result. CUNTS, the lot of them.

However, I guess a point is that you probably shouldn't need to use Hunt's site - you should assume your details are stolen, and act accordingly.

1
0
Bronze badge

"Run by Troy Hunt who is a security researcher"

Like that's going to make all the difference in the world. I tried "fuckyou@somewhere.com" and it appears that that entirely made up name had already been pawned at Adobe.

But there is good news: "jdhdu34@ksdjfdke434.com" is free from any pawnage. I'll be sure to use that one in the future...

1
1

Seems legit

Enter your details, hit submit and then the server spits you out at haveibeenpwned.com/youhavenow

0
0

>I tried "fuckyou@somewhere.com" and it appears that that entirely made up name had already been pawned at Adobe.

Oh, how original. I'm sure you if tried asdf@asdf.com or one of the other top 100 made up email addresses you'd find them in commonly hacked databases. Even on sites that require a validation email doesn't mean your address is ever deleted from the server if it's not validated.

2
0
Bronze badge

I put my spambucket account in there. let's see if the spam increases :D

0
0

Really? Given the amount of people that don't like giving their details online, you're surprised that the fake email address "fuckyou@somewhere.com" exists on a list of millions of addresses in the Adobe leak?

Didn't take the monkeys very long to bash that out on their infinite typewriters.

0
0
Silver badge

Does this mean...

That I will start receiving random selfies

4
0
Silver badge

Re: Does this mean...

Yep I hooked you up so you get all the before selfies from Weight Watchers customers from now on.

2
0

Errr, seeing as snapchat claim to have 30 million active accounts I wouldn't describe 4.6 million as the 'vast majority'. But hey, nothing wrong with talking up a story. Neither myself or a few random friends I checked are actually in the list thankfully. Having said that, its outrageous they knew about the issue and did nothing, with more time and effort they probably could have obtained most of the accounts.

1
6
Silver badge
Trollface

25 million accounts are dogeaccounts

2
0
Silver badge
Trollface

@bigtime - "seeing as snapchat claim to have 30 million active accounts"

It must be true - I read it on the intertubes. No website would ever lie about the size of its active user base.

8
0

4.6 M actual out of 30 M claimed

on the plus side it IS snapchat, so all the details will disappear in a few minutes anyway :oP

11
0
MrT
Bronze badge

Sophos Naked Security blog...

... natural(ist)ly, given the content...

0
0

useful stuff

What would I give to have the email address and phone number of everyone who uses shapchat? Hmm, about £0.00

4
0
Bronze badge

Re: useful stuff

They've already proven to be blindingly trustful of people on the internet, just claim to be a new internet payment company that deletes their banking details 6 seconds after the transaction and you can start extracting obscene amounts of cash from them.

I know that most of the users are teenagers living at home, but the same kind of parent that gives their kids a smartphone is also the same kind of idiot that gives them a credit card.

0
0

This post has been deleted by its author

Silver badge
Happy

Unprecidented

Nothing like this has ever happened before, so obviously the people running Snap{whatever} couldn't possibly have forseen that their inaction would lead to this, could they?

Could they?

4
0
Bronze badge

Is this not more a terms of service violation* than a security problem? I don't use Snapchat and don't know their terms, but it appears the "hack" uses a provided API for its intended purpose, albeit "from a program" and at a high rate. If this runs against their TOS and they chose not to prevent it that is pretty sloppy on their part and risks customer irritation for going beyond what they thought based on the TOS acceptance that they clicked without reading any part of.

* Of course, in the US this might fall under the Computer Fraud and Abuse Act and be subject to prosecution by an occasional politically ambitious US Attorney

0
0
Anonymous Coward

Is this not more a terms of service violation* than a security problem?

It's actually a business model problem, if they can't guarantee that ephemeral really is ephemeral then they're just another Instagram.

2
0
Silver badge
FAIL

> if they can't guarantee that ephemeral really is ephemeral

and they can't.

It isn't possible. There was a company in early 2000's trying to do this with web pages. It took me about 45 minutes to think about how to break it and 20 seconds demonstrate.

Of course it might be slightly easier now, given that you don't actually own or control your phone...

1
0
Bronze badge

Re: > if they can't guarantee that ephemeral really is ephemeral

First law of data on the internet:

If you want something on the internet, it'll disappear the second you look away;

however if you never wanted to get out onto the internet, it'll be there well past the heat-death of the universe.

3
0
Gold badge
Joke

Re: > if they can't guarantee that ephemeral really is ephemeral

I think I've seem something similar...

First law of NSA:

If you know it, the NSA knows it.

Second law of NSA:

Even if you don't know it, chances are that the NSA knows it

0
0
Gold badge

Usernames and telephone numbers

And what else? If I wanted to build up a secret database of names and phone numbers, I'd start with the phone book that BT still drop on my doorstep every other year. As the article stands, there really isn't anything to worry about here. Just a website operator to laugh at.

0
0
This topic is closed for new posts.