Following this full disclosure Snapchat issued a brief statement, concluding, "Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse."
The implication is that snapchatters had nothing to fear and should just carry on. It was wrong. A few days later a site, registered in Panama on 31 December and called SnapchatDB.info appeared on the internet. It reportedly made available a database of 4.6 million Snapchat usernames and phone numbers (minus their last two digits). The site is no longer available; but the database has undoubtedly been downloaded by both researchers and more dubious elements (it is apparently available on Mega).
TechCrunch contacted the hackers, and was told, "Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed... We used a modified version of gibsonsec’s exploit/method. Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t."
For its part, GibsonSec has denied involvement, although it clearly has access to the database. It has provided a lookup facility for concerned users to check whether their details are included in the leak (which only affects specific areas in America). It also offers some basic advice: "If your data has been leaked, don't freak out! There are a few things you can do if you've been affected."
First and foremost, it suggests, "you can delete your Snapchat account," but points out, "this won't remove your phone number from the already circulating leaked database. If you feel that you'd rather unscrupulous entities not potentially have your phone number, you're free to contact your phone TelCo, and request that they give you a new number. If you detail the breach, they'll almost certainly give you a new one."
Although the hackers removed the last two digits of the phone numbers before publishing the database, this is unlikely to prevent determined adversaries from locating the full number relating to the associated username. "And, of course, it’s possible that you have been flirting with someone via Snapchat that you didn’t want to have access to your phone number," warns security expert Graham Cluley. "Snapchat, you will remember, is designed to let you send a sexy snap that is only supposed to be viewable for a few seconds before it is destroyed."
The hackers themselves commented on their site, “People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with."