Snapchat hack believed to have hit 4.6 million users

‘Syrian Electronic Army’ attacks Skype in separate incident

The Snapchat app, which deletes messages after they are delivered. Applications such as Snapchat are gaining popularity for the perception of privacy, but the company’s privacy policy explains those images can be retrieved from its servers even after they are deleted. Photograph: J. Emilio Flores/The New York Times
The Snapchat app, which deletes messages after they are delivered. Applications such as Snapchat are gaining popularity for the perception of privacy, but the company’s privacy policy explains those images can be retrieved from its servers even after they are deleted. Photograph: J. Emilio Flores/The New York Times

An anonymous group of hackers has dumped a vast database of what appeared to be 4.6 million Snapchat users’ mobile numbers and usernames, just days after Snapchat claimed it had safeguards in place to fix a security vulnerability that could divulge users’ personal information.

In a separate hacking incident involving a hugely popular social media application, the so-called Syrian Electronic Army, an amorphous hacker collective that supports Syrian president Bashar al-Assad, claimed credit yesterday for hacking into the social media accounts of internet calling service Skype.

A website called SnapchatDB released the vast database, which included usernames and phone numbers of Snapchat users in the US. The last two digits of each number were redacted by the group.

The site later appeared to have been taken down, but, while accessible, explained that the material had been published to “raise awareness” of the issue.

READ MORE

“This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it,’’ it said.

‘’For now, we have censored the last two digits of the phone numbers in order to minimise spam and abuse.’’

The site also said it might consider releasing the unredacted database ‘’under certain circumstances’’.

Snapchat is a mobile phone app which allows users to send instant, time-limited picture messages to each other.

A survey by research company Ipsos/MRBI suggested last year that some 43 per cent of Irish residents aged between 15 and 24 have a Snapchat account, with half of those using the app every day.

The publication of the user names and numbers came after details of the vulnerability was made public by an Australian security research group called Gibson Security on Christmas Day. The group outlined how the vulnerability could be exploited, and said Snapchat did not respond to it when it raised the issue months ago.

Gibson Security tweeted it had no involvement in the release of the user information.

‘’We know nothing about SnapchatDB, but it was a matter of time til something like that happened,’’ it tweeted.

After Gibson published its findings Snapchat said it took user privacy seriously and replied in a blogpost: “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the US, they could create a database of the results and match usernames to phone numbers that way.

“Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”

Snapchat has been contacted for comment on the release of the SnapchatDB database.

Separately, the Syrian Electronic Army claimed credit on Wednesday for hacking Skype.

It also posted the contact information of Steve Ballmer, Microsoft’s retiring chief executive, on its Twitter account along with the message, “You can thank Microsoft for monitoring your accounts/emails using this details. #SEA”

That message was an apparent reference to revelations last year by former National Security Agency contractor Edward Snowden that Skype, which is owned by Microsoft, was part of the NSA’s programme to monitor communications through some of the biggest US Internet companies.

A message posted on Skype’s official Twitter feed on Wednesday, apparently by the hacking group, read: “Don’t use Microsoft emails (hotmail, outlook), They are monitoring your accounts and selling the data to the governments. More details soon. #SEA”

Similar messages were posted on Skype’s official Facebook pages and on a blog on its website before being taken down in late afternoon.

The SEA later tweeted out copies of the message “for those who missed it”.

Representatives for Microsoft could not be reached for comment.

The NSA's practices essentially made Microsoft and other technology companies partners in government surveillance efforts against private citizens in the United States and elsewhere. Last month Microsoft joined seven other top technology companies in pressing President Barack Obama to rein in the US government's electronic spying in a meeting at the White House.

Media companies, including the New York Times and the BBC, have repeatedly been targeted by the Syrian Electronic Army and other hacker activist groups that deface websites and take over Twitter accounts.

Mr Obama and his national security team are trying to decide what recommendations to adopt from an outside panel’s review of the NSA’s activities.

A US District judge in December ruled that the US government’s gathering of Americans’ phone records is likely unlawful and raised what he called “serious doubts” about the value of the so-called metadata counter-terrorism programme.

But a second federal judge ruled later in the month that the program was constitutional, raising the likelihood that the issue will be settled by the US Supreme Court.

This week, a monitoring group said the death toll in Syria’s civil war, which began in March 2011 as peaceful protests against four decades of rule by Dr Assad’s family, had risen to at least 130,000.

Guardian/Reuters