Snapchat, the red-hot private messaging service, said on Thursday that it knew for months about a security loophole that allowed hackers this week to harvest millions of phone numbers and announced changes to its systems.
An anonymous group called Snapchat DB posted the usernames and phone numbers of 4.6 million Snapchat users on New Year's Eve, days after the startup - headed by 23-year old founder Evan Spiegel - brushed off warnings that its app still contained security loopholes.
The hacker group, which claimed to be based in the United States and Europe, made the entire database available for download but redacted the last two digits of every phone number. Snapchat DB said it was working to raise awareness about Snapchat's security holes, not out of malicious intent.
In its first public statement since the leak, Snapchat said in a blog post on Thursday that no "snaps" - the contents of messages - were compromised or accessed as part of the hack.
Snapchat was first alerted to the vulnerability in August by a security group called Gibson Security. Snapchat said it made changes to its system to address the weaknesses, but the company also published a blog post downplaying the threat as "theoretical" on December 27.
Snapchat DB carried out the hack and disclosed the phone numbers just four days later.
The hack was a rare black eye for a high-flying appmaker started by Stanford University undergraduates in 2011. Snapchat has soared in popularity over the past year because it allows its users - mostly teens - to send private pictures and messages that self-destruct after 10 seconds at most.
Calling the hackers' disclosure an "abuse" of its system, Snapchat said Thursday that it was first told by security experts in August that its "Find Friends" feature may contain a weakness.
The company did not apologize for the leaks but said it would carry out some changes to prevent further unwanted disclosures.
"We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number," the company wrote. "We're also improving rate limiting and other restrictions to address future attempts to abuse our service."
Source: Reuters