Snapchat has issued a response following the New Year’s leak of 4.6 million user names and phone numbers by a group of security researchers. In a blog post that was less cavalier than its initial response, the ephemeral messaging startup announced that it will be releasing an updated version of its app enabling users to opt-out of appearing in its Find Friends setting after verifying their phone number.
In addition, rate limiting is also being improved and other restrictions are being made to hopefully address future abuse attempts.
Interestingly that today’s blog post shows that Snapchat acknowledges that there was a problem, but it doesn’t apologize for not implementing a fix.
Last month, Gibson Security submitted a report to Snapchat highlighting two exploits in the app that could allow hackers to gain unauthorized access to user data. Snapchat responded days later in a manner that seemed less than reassuring:
Our Find Friends feature allows users to upload their address book contacts to Snapchat so that we can display the accounts of Snapchatters who match the phone numbers found in the address book. Adding a phone number to your Snapchat account is optional, but it’s helpful for allowing your friends to find you. We don’t display the phone numbers to other users and we don’t support the ability to look up phone numbers based on someone’s username.
The company went on to state that it has spent the past year working and implementing safeguards to protect user data. However, days after that post was published, a group of researchers not affiliated with Gibson Security leaked a database of 4.6 million users and made their username and phone numbers available to anyone. It was a reaction to the slow progress that Snapchat was making — it certainly got a quick response from the company today.
In fact, you can read their statement to the hack — it was buried in the third paragraph of Snapchat’s response:
On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.
The company went a bit further to express their willingness to work with security experts, saying that if any firm is aware of any vulnerabilities in its system, to email them at firstname.lastname@example.org.
Hat-tip Farhad Manjoo