As you may have heard, Snapchat suffered a data breach on Tuesday, reportedly exposing 4.6 million user names and phone numbers and hosting them on SnapchatDB.info.
For some time, security professionals have been skeptical about the security, or lack of security, with the popular app and voiced it to Snapchat. So it may or may not be a surprise that this type of breach has occurred.
According to Kaspersky Lab Principal Security Researcher, Roel Schouwenberg, the attackers in the Snapchat incident made full use of the Snapchat API and were able to retrieve usernames by guessing phone numbers.
“Given the ease of the attack and the amount of time that it’s been known for, about half a year, it’s a pretty safe bet to assume at least all the U.S. phone numbers have been tried and mapped,” Schouwenberg said.
So what exactly could the attackers do with this information? Schouwenberg said that the frequent re-using of usernames could provide the opportunity for secondary attacks. “If the attacker is able to craft a profile of the target they could then use the collected phone number to pretend they’re the bank. Alternatively the phone number could be used in a phishing message to give the message extra credibility. These are just a few small examples. There are a lot of possibilities for the attackers so it’s important to be vigilant, especially as the information that’s out there can’t be easily changed. A credit card compromise is inconvenient, but ultimately a card is easily replaced. The same doesn’t apply to a phone number.”
If you are a Snapchat user, Schouwenberg offers the following advice, “Most importantly this should serve as another reminder that people should have very little expectations of anonymity online. It’s definitely a lot easier finding out someone’s real identity when you have their phone number. Therefore always try to use unique usernames.”
Mashable also provided a link for a website that lets you know if your email address was taken.
According to USA Today, Snapchat says it plans to release a new version of the app that will allow users to opt out of the ‘Find Friends’ feature, which was exploited by the hackers.