back to article Snapchat: In 'theory' you could hack... Oh CRAP is that 4.6 MILLION users' details?

Hackers claim to have lifted millions of Snapchat usernames and phone numbers, apparently taking advantage of a vulnerability that the messaging service last week dismissed as mostly theoretical. A partially redacted database of 4.6 million usernames and phone numbers (minus two digits) - purportedly of Snapchat users - have …

COMMENTS

This topic is closed for new posts.
  1. John H Woods Silver badge

    That turned down $3bn ...

    ... is fading into the distance.

    1. g e

      Re: That turned down $3bn ...

      Yep. Worth about 45p now.

      In fact I'll offer them 30p cash right now. Take it or leave it, one time offer.

  2. John P
    Facepalm

    Idiots, that is all.

    For reference, an excellent new (and free) service that was launched recently to help people determine if their details have been included in this and other big data breaches:

    https://haveibeenpwned.com/

    Enter your email or snapchat username to see if you have been a victim of this and other data breaches (Adobe, Yahoo!, Sony, etc)

    1. Anonymous Coward
      WTF?

      "Enter your email or snapchat username to see if you have been a victim of this and other data breaches (Adobe, Yahoo!, Sony, etc)"

      Yeah right......enter valid details on an unknown website, that sounds like a clever plan!

      Domain Name: HAVEIBEENPWNED.COM

      Registrar: GODADDY.COM, LLC

      Whois Server: whois.godaddy.com

      Referral URL: http://registrar.godaddy.com

      Name Server: NS35.DOMAINCONTROL.COM

      Name Server: NS36.DOMAINCONTROL.COM

      Status: clientDeleteProhibited

      Status: clientRenewProhibited

      Status: clientTransferProhibited

      Status: clientUpdateProhibited

      Updated Date: 13-nov-2013

      Creation Date: 13-nov-2013

      Expiration Date: 13-nov-2014

      1. Chewy

        Run by Troy Hunt who is a security researcher

        1. 02X7Cm

          Don't check with your e-mail address

          If you're affected by the snapchat episode, don't enter you e-mail.

          AFAIK (could be wrong) but reading the exploit in code and looking at their API the most detail it leaks is phone numbers, display name, username and whether the account is public/private, e-mails isn't part of it.

          If you do enter your e-mail you will be leaking your own info. Who such checking sites are run by is irrelvant.

        2. Anonymous Coward
          Anonymous Coward

          Which makes the site even more dubious.

          Giving your details to someone who likes to hack things for a living, what could possibly go wrong?

          1. M Gale

            Well, my adobe@ username has obviously been "pwned". None of the others have, allegedly. At least according to that site.

            However according to an utterly massive data dump I (and many others) got from the Reg a while ago, my email address for this place is comprehensively pwned. Coff. Lucky I have at least semi-sensible passwords, eh?

            As for being all super scared about entering your details into that web site, it's been around for quite the long while now. It's being run by someone who presumably wants you to use it. Doing nefarious things with the stuff you type into the search box is not going to be conducive to that. Besides, exactly what is the owner going to do with your username, when s/he apparently already has raw data from umpteen leaks to choose from?

          2. Philip Lewis

            I put my spambucket account in there. let's see if the spam increases :D

        3. John Tserkezis

          "Run by Troy Hunt who is a security researcher"

          Like that's going to make all the difference in the world. I tried "fuckyou@somewhere.com" and it appears that that entirely made up name had already been pawned at Adobe.

          But there is good news: "jdhdu34@ksdjfdke434.com" is free from any pawnage. I'll be sure to use that one in the future...

          1. pixl97

            >I tried "fuckyou@somewhere.com" and it appears that that entirely made up name had already been pawned at Adobe.

            Oh, how original. I'm sure you if tried asdf@asdf.com or one of the other top 100 made up email addresses you'd find them in commonly hacked databases. Even on sites that require a validation email doesn't mean your address is ever deleted from the server if it's not validated.

          2. GaryBarber

            Really? Given the amount of people that don't like giving their details online, you're surprised that the fake email address "fuckyou@somewhere.com" exists on a list of millions of addresses in the Adobe leak?

            Didn't take the monkeys very long to bash that out on their infinite typewriters.

      2. Andrew Waite

        Only 'unknown' if you don't know your InfoSec Pros. Troy has done good work for several years, and is well known and well respected in the industry.

        (I especially recommend you check out his work with cold-call scammers, rather entertaining.)

    2. Anonymous Coward
      Anonymous Coward

      Interesting...

      None of my Sony accounts were there, but Adobe and Gawker were.

      It's as if the Sony, Adobe and Gawker hacks are disproportional to the amount of media coverage they got....

    3. Anonymous Coward
      Anonymous Coward

      Do you have to enter your password and credit card number too?

    4. Graham Marsden
      Facepalm

      haveibeenpwned...?

      You have now!

    5. Anonymous Coward
      Anonymous Coward

      Amazing, I'm on the list and I don't even use or have signed up to snapchat?

    6. John P

      What's with all the downvotes?

      The site is run by Troy Hunt who is a very well respected security researcher whose reputation is far too valuable for him to do anything screwy with the data people enter. Maybe I should of stated that in my original post.

      He doesn't store the details you enter and even if he did, I'd trust him with my data over a lot of other companies, at least he understands the need for security and how to implement it.

      I was just trying to offer some help so people can discover if their accounts have been compromised, think I won't bother next time!

      1. 142

        Re: What's with all the downvotes?

        I agree. It showed my spam-box email address, which I don't care about, was leaked by Adobe, together with the password I used on the site. There was zero reason to require an email address or account for what I had needed anyway, Adobe just insisted, like Codemasters before them, with the same result. CUNTS, the lot of them.

        However, I guess a point is that you probably shouldn't need to use Hunt's site - you should assume your details are stolen, and act accordingly.

    7. miknik

      Seems legit

      Enter your details, hit submit and then the server spits you out at haveibeenpwned.com/youhavenow

  3. ukgnome

    Does this mean...

    That I will start receiving random selfies

    1. asdf

      Re: Does this mean...

      Yep I hooked you up so you get all the before selfies from Weight Watchers customers from now on.

  4. bigtimehustler

    Errr, seeing as snapchat claim to have 30 million active accounts I wouldn't describe 4.6 million as the 'vast majority'. But hey, nothing wrong with talking up a story. Neither myself or a few random friends I checked are actually in the list thankfully. Having said that, its outrageous they knew about the issue and did nothing, with more time and effort they probably could have obtained most of the accounts.

    1. Destroy All Monsters Silver badge
      Trollface

      25 million accounts are dogeaccounts

    2. Anonymous Coward
      Trollface

      @bigtime - "seeing as snapchat claim to have 30 million active accounts"

      It must be true - I read it on the intertubes. No website would ever lie about the size of its active user base.

  5. Rambler

    4.6 M actual out of 30 M claimed

    on the plus side it IS snapchat, so all the details will disappear in a few minutes anyway :oP

    1. MrT

      Sophos Naked Security blog...

      ... natural(ist)ly, given the content...

  6. Tim 11

    useful stuff

    What would I give to have the email address and phone number of everyone who uses shapchat? Hmm, about £0.00

    1. Crazy Operations Guy

      Re: useful stuff

      They've already proven to be blindingly trustful of people on the internet, just claim to be a new internet payment company that deletes their banking details 6 seconds after the transaction and you can start extracting obscene amounts of cash from them.

      I know that most of the users are teenagers living at home, but the same kind of parent that gives their kids a smartphone is also the same kind of idiot that gives them a credit card.

  7. This post has been deleted by its author

  8. Will Godfrey Silver badge
    Happy

    Unprecidented

    Nothing like this has ever happened before, so obviously the people running Snap{whatever} couldn't possibly have forseen that their inaction would lead to this, could they?

    Could they?

  9. tom dial Silver badge

    Is this not more a terms of service violation* than a security problem? I don't use Snapchat and don't know their terms, but it appears the "hack" uses a provided API for its intended purpose, albeit "from a program" and at a high rate. If this runs against their TOS and they chose not to prevent it that is pretty sloppy on their part and risks customer irritation for going beyond what they thought based on the TOS acceptance that they clicked without reading any part of.

    * Of course, in the US this might fall under the Computer Fraud and Abuse Act and be subject to prosecution by an occasional politically ambitious US Attorney

    1. Anonymous Coward
      Anonymous Coward

      Is this not more a terms of service violation* than a security problem?

      It's actually a business model problem, if they can't guarantee that ephemeral really is ephemeral then they're just another Instagram.

      1. P. Lee
        FAIL

        > if they can't guarantee that ephemeral really is ephemeral

        and they can't.

        It isn't possible. There was a company in early 2000's trying to do this with web pages. It took me about 45 minutes to think about how to break it and 20 seconds demonstrate.

        Of course it might be slightly easier now, given that you don't actually own or control your phone...

        1. Crazy Operations Guy

          Re: > if they can't guarantee that ephemeral really is ephemeral

          First law of data on the internet:

          If you want something on the internet, it'll disappear the second you look away;

          however if you never wanted to get out onto the internet, it'll be there well past the heat-death of the universe.

          1. BristolBachelor Gold badge
            Joke

            Re: > if they can't guarantee that ephemeral really is ephemeral

            I think I've seem something similar...

            First law of NSA:

            If you know it, the NSA knows it.

            Second law of NSA:

            Even if you don't know it, chances are that the NSA knows it

  10. Ken Hagan Gold badge

    Usernames and telephone numbers

    And what else? If I wanted to build up a secret database of names and phone numbers, I'd start with the phone book that BT still drop on my doorstep every other year. As the article stands, there really isn't anything to worry about here. Just a website operator to laugh at.

This topic is closed for new posts.

Other stories you might like