Hacked in the New Year – Millions of Skype and Snapchat Users
You may recall that we at Firestorm have cautioned users of SnapChat in the past (see: Snapchat – Great, Another Way to Destroy Your Brand). As a New Year’s gift to 2014, hackers posted a database containing 4.6 million names and phone numbers of Snapchat users and compromised the social media accounts of Skype in two apparently separate attacks.
According to various news sources, a website called SnapchatDB.info made Snapchat customer information available for download late Tuesday, in what the perpetrators declared was an attempt to expose the vulnerability of users’ data.
As of Wednesday evening, the site had been suspended.
Snapchat warned of this potential scenario days prior in a blog post on their website, saying a security group had alerted it about a potential vulnerability.
“We don’t display the phone numbers to other users and we don’t support the ability to look up phone numbers based on someone’s username,” the company wrote Friday. “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.”
Soon after, hackers posted a sampling of the data.
“This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue,” said the site that posted the information. “The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
“For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse,” the site added. “Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.”
Gibson Security, an Australian-based, informal tech research firm, first flagged the security issue for Snapchat in August, and took to Twitter on New Year’s Eve to explain: “We know nothing about SnapchatDB, but it was a matter of time til [sic] something like that happened. Also the exploit works still with minor fixes.”
As detailed in Forbes:
The identity of those behind Gibson Security is unknown—the group appears to be little more than a moniker used by three hacker friends in Australia—but a member of the group responded to questions via email. He says that he and his friends have no formal training or qualifications, and are currently students. They are in no way affiliated with SnapchatDB, and don’t condone that entity’s release of user information. “But with Snapchat responding like it is,” my anonymous source writes, “it might be the wake up call it needs.”
The identity of SnapchatDB is also unknown but the group or person told TechCrunch that the hack was in direct response to the Gibson report and Snapchat’s nonchalant reaction:
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.”
Gibson released their initial report on August 27th last year. Snapchat didn’t respond until December 28th, three days after Gibson released a more thorough, updated account of the app’s security vulnerabilities.
Snapchat is a popular messaging app that lets users send each other photos that quickly disappear (see our previous article on this). In its blog post of Dec. 27, Snapchat described how its Find Friends feature allows users to upload their contact lists to Snapchat as a way of linking up friends. The company said it had implemented safeguards making an exploit “more difficult to do.” See Snapchat to offer security fix in the wake of leaked user data from TheVerge.
While the Snapchat hackers have remained anonymous, the Syrian Electronic Army claimed credit for hacking the official blog and social network accounts for Microsoft’s Web calling service Skype.
A post published Wednesday on the official Skype blog featured the headline, “Hacked by Syrian Electronic Army.. Stop Spying!”
The group also posted the contact information of Steve Ballmer, Microsoft Corp’s retiring chief executive, on its Twitter account along with the message, “You can thank Microsoft for monitoring your accounts/emails using this details. #SEA”
That message was an apparent reference to revelations last year by former National Security Agency contractor Edward Snowden that Skype, which is owned by Microsoft, was part of the NSA’s program to monitor communications through some of the biggest U.S. Internet companies.
A message posted on Skype’s official Twitter feed on Wednesday, apparently by the hacking group, read: “Don’t use Microsoft emails (hotmail, outlook), They are monitoring your accounts and selling the data to the governments. More details soon. #SEA”
Similar messages were posted on Skype’s official Facebook pages and on a blog on its website before being taken down in late afternoon. The SEA later tweeted out copies of the message “for those who missed it.”
Skype acknowledged on Thursday it had been hit with a “cyber attack” but said no user information was compromised.
Last month Microsoft joined seven other top technology companies in pressing President Barack Obama to rein in the U.S. government’s electronic spying in a meeting at the White House.
Media companies, including the New York Times and the BBC, have repeatedly been targeted by the Syrian Electronic Army and other hacker activist groups that deface websites and take over Twitter accounts.
“What should we do now?” “What should we say?”