Even as Snapchat has become the latest Internet darling, daring to reject multibillion-dollar acquisition deals, the young company has masked what some consider to be a dirty little secret: Its security may not be all that different from that of other big messaging services.
That secret was laid bare last week when a group of security researchers exploited a weakness in Snapchat’s systems to snag and post usernames and telephone numbers for 4.6 million Snapchat users.
Snapchat has long marketed itself as a private and more secure alternative to services like Facebook and its subsidiary Instagram. The app lets users send photo and video messages that disappear once they are viewed. That self-destruct feature initially gave the app a reputation as a favorite tool for so-called sexters, or those who send sexually suggestive photos of themselves, but eventually it went mainstream.
As of September, Snapchats users were sending 350 million photos a day, up from 200 million in June. The company continues to hire, has moved to a large, custom-designed office in Venice Beach, Calif., and is well-funded, recently adding $50 million in venture capital funding.
But researchers have long criticized Snapchat, saying it provides a false sense of security. They say the app’s disappearing act is illusory. Behind the scenes, Snapchat stores information about its users in a database, similar to data storage at other big Internet companies.
On Wednesday, security researchers posted the usernames and phone numbers on a site called SnapchatDB.info and made the data available for download.
In an email, the researchers said they were able to snag the data through a vulnerability identified by Gibson Security, a company that privately notified Snapchat of the hole in its system, then, after the notice was ignored, posted the vulnerability online on Christmas Eve.
The hole was later patched. SnapchatDB.info’s researchers said they posted the information because Snapchat was too slow to respond.
In an email, the security researchers behind SnapchatDB.info said they were able to grab Snapchat’s user data from its servers, where it had been stored in clear text.
In an email, one researcher said the data was not being encrypted or “hashed” to make it difficult for hackers to piece together.
“We were able to query for the information as fast as our connection allowed us to,” the researchers added. “Our main goal is to raise public awareness on how reckless many Internet companies are with user information.”
SnapchatDB.info’s researchers said that to protect affected users, they redacted the last two digits of phone numbers but would consider handing over the data in aggregate.
Snapchat addressed the leak as a malicious hack.
“On New Year’s Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks,” the company said in a blog post.
Snapchat said it would release an updated version of its application that would allow users to opt out of the function that lets people search for friends using their phone numbers. The company said it was working to prevent “future attempts to abuse our service.”