Snapchat has announced that it is to release an update to its application to address and reduce abuse opportunities after user details were leaked online.
According to a blog post by the company, the ability to enter a phone number to enable users to find friends was introduced after the launch of the application, and it was informed about potential abuse of this feature by Gibson Security in August 2013.
“Shortly thereafter, we implemented practices like rate limiting aimed at addressing these concerns. On Christmas Eve, that same group publicly documented our API, making it easier for individuals to abuse our service and violate our Terms of Use,” it said. Gibson Security denied any involvement in the hacking.
Snapchat confirmed that even though an attacker released a database of partially redacted phone numbers and usernames, which could be correlated to find users, no other information was leaked or accessed. The planned update will allow users to opt out of appearing in Find Friends after they have verified their phone number, and it is improving rate limiting and other restrictions to address future attempts to abuse the service.
“The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse,” it said.
On New Year’s Eve, attackers published the details of 4.6 million Snapchat users, with the last two digits of each phone number redacted. The site was later taken down, but those behind it said that it was published to “raise awareness” of the issue.
Tim ‘TK’ Keanini, CTO at Lancope, said: “Just in the past month, it seems that the frequency of account comprises are so high that people are having to change their passwords on a weekly basis. This is not sustainable. How bad does it have to get before it starts getting better?
“The more users you have in your online system, the more attractive you are to the advanced threat. They will work all day and all night to penetrate your systems and in turn, you must work all day and all night to ensure that you defend your system. At some point, product managers of these systems will prioritise security related features over all the other features in the backlog and make it happen sooner than later. Until then, there will be many more stories like this and good luck having to change your password for an upward of 50+ accounts on a weekly basis.”
