Menu
Browse

Cyber Incident Victim: Snap Inc.

Date:

Dec 2013

Location:

United States of America

Summary

A security vulnerability in Snapchat's 'Find Friends' feature was exploited by greyhat hackers, leading to the exposure of approximately 4.5 million users' usernames and associated phone numbers. The compromised database, which partially redacted phone numbers by obscuring the last two digits, was publicly posted online and later mirrored across search engine caches and third-party repositories. While the initial site hosting the data became inaccessible, the breach persisted through secondary sources and was integrated into a public data breach notification service. The incident demonstrated how features designed for user connectivity could be weaponized to harvest sensitive information for potential scams. In response, the company announced plans to implement an opt-out mechanism for the affected feature and established a dedicated channel for security researchers to report vulnerabilities.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

In late December 2013, greyhat hackers exploited a security vulnerability in Snapchat’s 'Find Friends' feature to compile a database containing usernames and associated phone numbers for approximately 4.5 million users. The attackers publicly released this dataset on the website snapchatdb.info on December 31, 2013, partially redacting the last two digits of each phone number. They announced the possibility of privately sharing unobscured versions of the data. The vulnerability had been previously reported to Snapchat by security researchers, but the company initially dismissed its exploitability as theoretical. Within 24 hours of publication, the snapchatdb.info domain became inaccessible, though cached copies and mirror sites preserved the data. The breach dataset was later incorporated into the 'Have I Been Pwned' breach notification service.

Cyber Incident Image

The exposure enabled potential misuse of phone numbers for scams, spam, or targeted social engineering attacks. Snapchat acknowledged the incident in a January 2014 blog post, attributing it to abuse of the 'Find Friends' contact-matching functionality. The company announced plans to release an app update allowing users to opt out of this feature. Snapchat also established a dedicated email address for external security researchers to report vulnerabilities. The incident demonstrated how social media platforms’ friend-finding tools could be weaponized to link identifiable information like phone numbers to user accounts at scale. No legal actions against the perpetrators or financial penalties against Snapchat were detailed in the source material.

Sources
Sources available to members
1 source