January 10, 2014
Snapchat is offering its belated apologies after its site was used by hackers to expose the usernames and phone numbers of 4.6 million users New Year’s Eve.
The messaging app, which is popular with teens, acknowledged in a Jan. 2 blog post that the way it was storing information enabled hackers to “abuse” its systems, but the company never actually apologized to its members whose data was published in the breach.
Finally, in a blog post Thursday — more than a week after the hacking incident — the Snapchat team said it was sorry.
Here is the post:
This morning we released a Snapchat update for Android and iOS that improves Find Friends functionality and allows Snapchatters to opt-out of linking their phone number with their username. This option is available in Settings > Mobile #.
This update also requires new Snapchatters to verify their phone number before using the Find Friends service.
Our team continues to make improvements to the Snapchat service to prevent future attempts to abuse our API. We are sorry for any problems this issue may have caused you and we really appreciate your patience and support.
The apology was certainly warranted, not to mention too long in coming, especially when Snapchat knew months before the hack that there were vulnerabilities in its system.
Gibson Security informed the firm of the problem this summer and took Snapchat to task in a post on its website the week before the hack for not patching the ‘find friends’ exploit as well as a vulnerability in its ‘bulk registration’ system.
Gibson was derisive of Snapchat in its post, saying the company was too busy turning down acquisition offers from Facebook to make a simple fix to 10 lines of code.
“They’ve had four months, if they can’t rewrite ten lines of code in that time they should fire their development team,” Gibson said in an interview with ZDNet. “This exploit wouldn’t have appeared if they followed the best practices and focused on security (which they should be, considering the use cases of the app).”
Snapchat, in its blog post written before the hack, insisted it had addressed the flaws discovered by Gibson, adding that it had “implemented various safeguards” and taken “additional counter-measures.”
The measures however, quite obviously, did not work. The database of user information was available for download from SnapchatDB.info New Year’s Eve and part of New Year’s Day, although the website has since been suspended.
While affected users were mainly American, some Canadian users were also hit.
Jennifer Cowan is the Managing Editor for SiteProNews.