The group, Snapchat DB, published the usernames and phone numbers of 4.6 million of Snapchat’s users on New Year’s Eve. The entire database was made downloaded, although the group redacted the last two digits of the phone numbers.
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does,” stated the hacker group, based in the US and Europe, in a statement.
Snapchat caught on as a leading app among the so-called “drive-by” messaging services. Its appeal, to sexters and others, was that users can send pictures or texts to friends, with the messaging deleting itself after being sent.
The specific security flaw was in the Find Friends feature, which Snapchat said in a blog it was working to fix.
“We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number,” said the company. “We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.”
Rate limiting restricts them number of times a user can query the Snapchat servers.