In a brazen move, a group has utilized an exploit for a recently patched Snapchat vulnerability, and has released a database containing usernames and phone numbers of 4.6 million Snapchat users. The group removed the last two digits of the phone numbers, however is claiming to make the full version available under certain circumstances.
is currently was available for download at snapchatdb.info. The domain was registered today (12/31/13) and appears to be hosted in Latvia. 4.6 milllion is not the entire user base of Snapchat which is estimated to be at least three times that size.
Many area codes in the U.S. are not in the database. Oregon users for example, appear to be completely absent from the database altogether. This would indicate that those who harvested the data did so running phone number sequences against the API looking for matches and then extracted the usernames of those who were found.
Snapchat may have implemented rate limiting, but if they did so by basing this on IP address, this is easily circumvented by feeding the processes out to thousands of systems or other methods. It may also be that the entire database has not been made available for download… yet.
Gibson Security discovered the vulnerability in July and notified Snapchat in August. Apparently the disclosure was ignored and the details of the exploit were made public last week.
Snapchat responded in a blog post that they had “implemented various safeguards” and added “additional counter-measures” without stating specifically that the vulnerability was fixed in a recent blog post. However even if it has been patched, it appears to be too late and the fixes may not be good enough.
We know nothing about SnapchatDB, but it was a matter of time til something like that happened.Also the exploit works still with minor fixes
— Gibson Security (@gibsonsec) January 1, 2014