The individual or team claiming responsibility for SnapchatDB has responded to The Verge's requests for comment the morning after the database went online, containing a leaked collection of some 4.6 million apparent Snapchat usernames and partial phone numbers. "Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed," they say. "Security matters as much as user experience does."
"Even now the exploit persists."
Giving organizations a specific timeframe in which to fix a security flaw in their product before releasing details to the public is a common tactic among white-hat hackers, designed to put pressure on developers to fix the flaws as quickly as possible. In Snapchat's case, the leak comes just days after a blog post in which Snapchat alluded to a flaw posted on Christmas Eve by Gibson Security that alleged it could match thousands of phone numbers to usernames every few minutes. "Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the US, they could create a database of the results and match usernames to phone numbers that way," Snapchat wrote.
Indeed, that appears to be what the team behind SnapchatDB did: "We used a modified version of [Gibson Security's] exploit / method," they tell The Verge. "Snapchat could have easily avoided that disclosure by replying to Gibsonsec's private communications, yet they didn't. Even long after that disclosure, Snapchat was reluctant to take the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale."
SnapchatDB's website has since been taken down "not due to legal action, but due to the hosting provider being intimidated by the overwhelming attention that this is getting," they say.
SnapchatDB is offering the uncensored database to some who ask
SnapchatDB says that it isn't related to Gibson Security, implying they've only used Gibson's published methods to scrape user data and build a database. It's hiding the last two digits of the phone numbers in that collection, but has said that viewers should "feel free" to contact it for the uncensored version, which it claims to be offering to some who ask. Who's been asking for it so far? "Security researchers from around the world, professors from various universities, private investigators and attorneys," SnapchatDB says. "Snapchat hasn't made any efforts to contact with us but seeing how they disregarded [Gibson Security's] communication attempts, and how they reacted after they noticed the scraping was going on, I don't think they care enough."
Snapchat has yet to comment on the leak.