NEW YORK — Snapchat says it plans to put out a more secure version of its application following a breach that allowed hackers to collect 4.6 million user names and phone numbers.
The disappearing-message service popular with young people said in a blog post late Thursday that the updated version of its app would allow users to opt out of its “Find Friends” feature, which was apparently at the heart of the breach, and would stem future attempts to abuse its service.
The breach occurred after security experts warned the company at least twice about a vulnerability in its system.
Before announcing its plans to update the app, Snapchat had been quiet. Its seemingly detached response caused some security specialists to wonder whether the young company can handle the spotlight that it’s been thrust into over the last year as its service has become enormously popular.
In response to a warning by Gibson Security on Dec. 25 —which followed an earlier alert in August — Snapchat said in a blog post last Friday that it had implemented “various safeguards” over the past year that would make it more difficult to steal large sets of phone numbers. Snapchat hasn’t detailed the changes it made.
As Americans rang in the New Year, hackers reportedly published 4.6 million Snapchat user names and phone numbers on a website called snapchatdb.info, which has since been suspended. The breach came less than a week after the most recent warning from security experts that an attack could take place.
The incident bruises the company’s image and may threaten its rapid growth. Los Angeles-based Snapchat has no source of revenue, but its rapid rise to an estimated 20 million U.S. adult users prompted Facebook to extend a reported $3 billion buyout offer last year, which the company turned down. The number-of-users estimate is based on census figures and data from the Pew Research Center.
What should users do? Gibson Security, the firm that warned Snapchat of the security vulnerability on Christmas Day, has created a site — http://lookup.gibsonsec.org/ — that lets users type in their user name to see if their phone number was among those leaked. Of two user accounts that The Associated Press checked, one was found to have been compromised.
Gibson Security did not publish the last two digits of the phone numbers. Gibson says users can delete their Snapchat account if they wish, but “this won’t remove your phone number from the already circulating leaked database.” Users can also ask their phone company to give them a new phone number.
“Lastly, ensure that your security settings are up to scratch on your social media profiles. Be careful about what data you give away to sites when you sign up — if you don’t think a service requires your phone number, don’t give it to them,” Gibson said.
Gartner security analyst Avivah Litan said phone numbers are not considered “sensitive” personally identifiable information — such as credit card or Social Security numbers — so they are collected by all sorts of companies to verify a person’s identity.
Regarding Snapchat’s responses to the security warnings, however, Litan said it “doesn’t seem that responsible to be so nonchalant about it.”