Another day and another social media site has been hacked exposing millions of users’ data to the public. This time the popular service Snapchat got hacked. 4.6 million users had their information taken and published. This breach is very interesting because the hackers released the information not for financial gain but as a lesson to Snapchat and others about their lack of focus on security.
For a while it was assumed that this reported breach was a hoax but it was confirmed to not be a hoax News Year’s Eve when the database of users’ info was released. The group SnapchatDB released a statement about their actions. If you use Snapchat there’s a link where you can check your username to see if it was part of the Snapchat hack – http://lookup.gibsonsec.org/lookup
Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.
We used a modified version of gibsonsec’s exploit/method. Snapchat
could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large-scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.
We wanted to minimize spam and abuse that may arise from this release. Our main goal is to raise public awareness on how reckless many internet companies are with user information. It is a secondary goal for them, and that should not be the case. You wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.
From Snapchat Blog: Finding Friends with Phone Numbers
Occasionally computer security professionals and other helpful people reach out to us about potential bugs and vulnerabilities in Snapchat. We are grateful for the assistance of professionals who practice responsible disclosure and we’ve generally worked well with those who have contacted us.
This week, on Christmas Eve, a security group posted documentation for our private API. This documentation included an allegation regarding a possible attack by which one could compile a database of Snapchat usernames and phone numbers.
Our Find Friends feature allows users to upload their address book contacts to Snapchat so that we can display the accounts of Snapchatters who match the phone numbers found in the address book. Adding a phone number to your Snapchat account is optional, but it’s helpful for allowing your friends to find you. We don’t display the phone numbers to other users and we don’t support the ability to look up phone numbers based on someone’s username.
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.
A few days before the database of compromised accounts were released Snapchat posted an interesting post on their blog about their security risks. If you read the hacker’s statement and Snapchat’s you can read between the lines that the hackers tried to help Snapchat fix the vulnerabilities. Instead of plugging the hole it appears that Snapchat merely band aided them without fixing the underlying hole(s) that the hackers continued to exploit. Eventually the hackers got fed up with it and released the data with the message about lack of security focus in this social media and application happy world.
I don’t condone hacking of any kind but I am siding with the intentions of the hackers because they are correct. As a user you cannot trust anything be it a website, an application on your phone or a person selling you something. Most of the time security around your data is not their top priority and most likely the bare minimum is done to get by an audit. The growing public breaches are beginning to show this to the rest of the world that security focus is lacking. The best security is the ones you don’t hear about.
Here are a few measures you can take as a user to protect yourself if one of your applications or services you use is breached:
- NEVER use the same password on multiple sites. Use central authentication through Facebook or Twitter if you can if it’s a standalone account use a different password. If your password is breached from one site they could potentially gain access to anything else you have access to where you used the same password.
- TRY NOT TO use the same userid across multiple sites. Anything financial, insurance, and personal should always be 100% unique accounts.
- RESET PASSWORDS OFTEN and NEVER use straight words. Good practice, 8 characters long, use uppercase, lowercase, numbers and a special character.
- CREATE A SECOND EMAIL ACCOUNT, use a junk email account for websites you use for leisure, subscriptions, forums, etc… Don’t use your primary email address you use for banking, family and friends, online ordering with credit cards. Keep the junk as isolated as you can from your ‘real’ business.
- NEVER, EVER, EVER, NEVER, EVER fall for the old ‘login to your bank or your account will be disabled’ trick. NO COMPANY AT ANYTIME WILL EVER ASK YOU TO LOGIN. EVER.
- IF IT SOUNDS FISHY IT PROBABLY IS.
Forgive the CAPS but I wanted your full attention.
As a user you are responsible to maintain the security of your information and accounts across the Internet because you cannot rely on any service to have it as a top priority or have the knowledge to properly implement it.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.