Selfie-sharing app Snapchat has issued an apology after a data breach saw the usernames and mobile phone numbers of 4.6 million users published online.

Over the Christmas holiday it was found that Snapchat's phone number look-up system - whereby users can find friends based on their mobile number - was open to abuse. Due to the app imposing no limit on how often a user can look up phone numbers, code can be written to make thousands of search requests every minute.


The suggestion that such an attack could be used to record the previously unknown phone numbers of users was dismissed by Snapchat as "theoretical," but on 1 January hackers extracted a database of 4.6 million Snapchat usernames and phone numbers, dumping the list online for all to see, albeit with the last two digits of each number removed in the name of censorship.

But the attackers suggested readers could request certain phone numbers: "For now, we have censored the last two digits of the phone numbers in order to minimise spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it," they said.

At first Snapchat failed to apologise for the data breach, but on 9 January finally issued the following statement: "Our team continues to make improvements to the Snapchat service to prevent future attempts to abuse our API. We are sorry for any problems this issue may have caused you and we really appreciate your patience and support. "

Snapchat apology

The statement was joined by an update to the service's Android and iOS apps.

The update means users must now verify their phone number before they can look up others, stopping the mass-scalping of data which led to the breach.

Paul Ducklin of Sophos' Naked Security blog said the update "seems reasonable, as a way of making you accountable for what you subsequently do with the service."

But the system still isn't perfect. Ducklin points out that users who don't want to be searchable by their phone number must actively opt-out, but this cannot be done until you hand over your number and have it verified, making every user searchable, if only briefly when they first set up the app.