Snapchat said today it would alter its app to make it harder for malicious users to collect and leak millions of usernames connected to phone numbers. The move comes after a group calling itself SnapchatDB rang in the New Year by leaking 4.6 million partially redacted phone numbers, in a stunt they said was designed to raise awareness about security flaws in Snapchat's app.
The leak was made possible by the app's Find Friends feature, which lets users find any friend who has shared a phone number with the service. SnapchatDB used the feature to upload a huge volume of phone numbers to the service to discover Snapchat accounts linked to them, and created a searchable database of the results. "We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number," Snapchat said in its blog post. "We're also improving rate limiting and other restrictions to address future attempts to abuse our service."
No messages or other data beyond usernames and phone numbers were leaked. But Snapchat faced criticism in the wake of the leak, in part because concerns that users' phone numbers could be scraped en masse had been publicized by security groups for months. Snapchat initially dismissed those worries. Today, it posted an email address that white-hat hackers can use to notify the company of potential exploits: firstname.lastname@example.org. "The Snapchat community is a place where friends feel comfortable expressing themselves," the company said, "and we're dedicated to preventing abuse."
Update: Gibson Security, the group which originally warned Snapchat about the vulnerability in August, has responded to Snapchat's blog post. Offended by Snapchat's response to to its efforts, GibSec points out that Snapchat doesn't actually claim that the vulnerability has fixed, and has yet to apologize to its users.