Another day another story -- or two -- of the hacking of well-known brands. This time, it’s Snapchat and Skype. Reports circulated on Tuesday night that as many as 4.6 million Snapchat usernames and phone numbers have been posted online as a downloadable database, apparently by the same hackers who breached the company’s security.
By Wednesday morning, the site where the data was posted had been taken down, and the posting said that the information “was being shared with the public to raise awareness” of a security issue on the site. The last two numbers of the posted phone numbers were “censored,” the hackers said, in order to “minimize spam and abuse.” But it invited visitors to “ask for the uncensored database,” which the hackers said they might release “under certain circumstances.”
Find Friends Feature
The vulnerability in question, made public by security firm Gibson Security, is one the company has known about, as it noted in a post on the official company blog on December 27. It described a Find Friends feature that allows users to upload address book contacts and then find the Snapchat accounts matching the phone numbers in the address book, if the Snapchat accounts have uploaded an optional phone number.
“Theoretically,” the posting noted, “if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.”
In the December 27 posting, the company said it had implemented various safeguards in the past year to make this kind of match “more difficult to do,” but, as evidenced by the posted 4.6 million usernames and phone numbers, apparently not difficult enough.
But, if it’s any consolation to up-and-coming Snapchat, the venerable technology giant has also suffered a recent hack attack. On New Year’s Day, the headline of a post on the Skype blog touted that the site had been “Hacked by the Syrian Electronic Army.”
The headline added that Microsoft, which owns Skype, should “stop spying,” a sentiment that was also relayed in an apparent hacking of Skype’s Twitter and Facebook accounts. Additionally, contact information for outgoing CEO Steve Ballmer was posted. The messages and contact information have since been removed, and Microsoft said that “no user info was compromised.”
The hacks follow the theft late last month of confidential data relating to 40 million credit and debit cards from the retailer Target.
Laura DiDio, an analyst with industry research firm Information Technology Intelligence Corp., noted that, these days, “a hack-a-day is unfortunately the new norm.”
She pointed out that, while these mega-hacks are taking place much more frequently these days, there are still things businesses and companies can do to minimize their exposure. “The biggest threat to most organizations,” DiDio said, “remains end users," and companies can review, update and implement policies to encourage and enforce best practices by its employees.