Utilizing a slightly modified version of an exploit pointed out by Gibson Security last week, a group managing a site called SnapchatDB.info published a list of 4.6 million usernames and phone numbers easily pulled from Snapchat. While the site has been suspended by the host due to overwhelming traffic, a cached version of the site can still be found here. It’s likely that the list is being distributed through other online sources as well.
Describing the file to visitors, the group states “You are downloading 4.6 million users’ phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.”
Explaining the reasoning behind the release, the group continues “This database contains username and phone number pairs of a vast majority of the Snapchat users. This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
However, the group has censored the last two digits of the phone numbers in order to reduce abuse. That being said, anyone familiar with their friend’s usernames would be able to match up their friend with a Snapchat account. If you want to find out if your Snapchat username is included in the file, visit this username look-up page on Gibson Security here.
In addition, a Reddit user named antimatter15 combed through the database in order to eliminate U.S. states that weren’t included in the leaked information. Those states include Alaska, Delaware, Hawaii, Kansas, Maryland, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, North Carolina, North Dakota, Oklahoma, Oregon, Rhode Island, Utah, Vermont, West Virginia, and Wyoming.
Commenting about the recently leaked personal information, Gibson Security tweeted “We know nothing about SnapchatDB, but it was a matter of time til something like that happened. Also the exploit works still with minor fixes.”
Snapchat had previously responded to the Gibson Security report in a blog post last week. In that post, a Snapchat representative stated “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”
Snapchat has not released a statement regarding the leak as of yet. While Snapchat hasn’t released information about the size of the overall userbase, Nielsen has estimated it to be around 8 million users within the United States around May 2013. During November 2013, Snapchat CEO Evan Spiegel did state that approximately 70 percent of Snapchat users are female.