
Snapchat Phone Number Database Leaked - lightcontact
http://www.snapchatdb.info
======
antimatter15
The top comment on Reddit r/netsec's corresponding coverage has mirrors on
Mega.co.nz for the files [1]

I couldn't find my own data in the set, and actually it seems like lots of
entire area codes are missing.

Assuming `cat schat.csv | uniq | cut -c1-4 | wc -l` is the proper command,
there are only 76 of 322 [2] US area codes represented.

It appears there are two Canadian area codes represented in the database: 867
and 204. There are also 248 US area codes which are _not_ represented in the
database. Assuming a relatively uniform distribution of phone numbers in the
US (which is not at all a safe assumption), the average US snapchat user has
better odds of _not_ being in the list than being in it. Sampling from the set
of my snapchat friends who are not in my area code, 3 of 13 can be found in
the database.

If your phone number is in any of these states, you're not in the database:
Alaska Delaware Hawaii Kansas Maryland Mississippi Missouri Montana Nebraska
Nevada New Hampshire New Mexico North Carolina North Dakota Oklahoma Oregon
Rhode Island Utah Vermont West Virginia Wyoming

[1]
[http://www.reddit.com/r/netsec/comments/1u4xss/snapchat_phon...](http://www.reddit.com/r/netsec/comments/1u4xss/snapchat_phone_number_database_leaked_46_million/)

[2] I'm matching a regex against this list
[http://en.wikipedia.org/wiki/List_of_North_American_Numberin...](http://en.wikipedia.org/wiki/List_of_North_American_Numbering_Plan_area_codes#United_States)

~~~
chmars
It had never occurred to me that cell phone operators would use area codes. In
my small home country, there is basically one 'area code' per cell phone
operator. First lesson learnt in 2014! :)

~~~
arrrg
That doesn’t just apply to small countries. I was also unaware that mobile
phone numbers could have area codes and I’m from Germany (where each mobile
operator has one three digit code – but even that is becoming meaningless with
legally required number portability from operator to operator).

~~~
mdpye
Less visible to people, though the way gsm works means that every call and
text you receive entails a lookup to your number's original provider. Prefix
allocations to mobile networks are static and they are required to return a
new route if you've ported. Which means if a company leaves the market,
_someone_ has to take on their allocations or even non-current customers will
lose connectivity. Or at least that was true last time a checked, 4 or so
years ago. Kind of crazy.

------
cenhyperion
Just like to remind everyone that snapchat was aware of this exploit and
dismissive in regards to it.

[http://www.theverge.com/2013/12/27/5249304/snapchat-
dismisse...](http://www.theverge.com/2013/12/27/5249304/snapchat-dismisses-
concerns-over-phone-number-finder-exploit)

~~~
rsync
Heckuvajob, Brownie.

------
scaramanga
CSV: magnet:?xt=urn:btih:bab9548c3770188c70d27ded9b22348f5b979713&dn=Snapch
at+database+CSV&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80
&tr=udp%3A%2F%2Ftracker.publicbt.com%3A80&tr=udp%3A%2F%2Ftrack
er.istole.it%3A6969&tr=udp%3A%2F%2Ftracker.ccc.de%3A80&tr=udp%
3A%2F%2Fopen.demonii.com%3A1337

SQL: magnet:? xt=urn:btih:f7b1cec6280edb8169d63550ba2dfb224df7810d&dn=Snapch
at+database+SQL&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80
&tr=udp%3A%2F%2Ftracker.publicbt.com%3A80&tr=udp%3A%2F%2Ftrack
er.istole.it%3A6969&tr=udp%3A%2F%2Ftracker.ccc.de%3A80&tr=udp%
3A%2F%2Fopen.demonii.com%3A1337

Both: magnet:? xt=urn:btih:fae9c0a8b2eee2f9cc31c713f21a4cda4083612b&dn=Snapch
at+Database+CSV+%26amp%3B+SQL&tr=udp%3A%2F%2Ftracker.openbitto
rrent.com%3A80&tr=udp%3A%2F%2Ftracker.publicbt.com%3A80&tr=udp
%3A%2F%2Ftracker.istole.it%3A6969&tr=udp%3A%2F%2Ftracker.ccc.d
e%3A80&tr=udp%3A%2F%2Fopen.demonii.com%3A1337

~~~
kamimeow
That's crazy how some personnal infos, once leaked, become a
public/underground data leaving no real way to repair. (I m thinking about
leaks of other infos with an expiracy, or tier revoking, like oauth tokens)

~~~
samstave
BLockchain roll-backs of leaked info?

/I have no idea what I am talking about :-)

------
rdl
Possibly they shouldn't have pissed on the people who notified them of the
vulnerability, and on the journalists who broke the story?

(aside from not being vulnerable to this in the first place, but that actually
is a lot to ask. I still can't believe anyone relied on the Snapchat model of
security more so than any other app, although from an ease of use, non-
security perspective, sure, it's reasonable.)

------
aheilbut
I guess I'm dating myself, but didn't we used to call that the phone book?

~~~
lucb1e
Fuck, misclicked downvote (wanted to upvote). Really great how HN does not
allow changing votes at least once. Sorry for that, but yeah good point.

Nowadays one or a few phone numbers are unique to you, which makes it linkable
to other things. Linkability is something that breaks privacy, so if you don't
want your full name to be known somewhere, it is important to be able to keep
things separate. When your phone number goes public (e.g. resumé and
snapchat), that anonymity is broken.

~~~
lostlogin
Someone always does it for me, so here is a compensation up vote. I agree, a
few mins of vote changing grace wod be nice.

------
gibsonsecurity
For the record we don't know about SnapchatDB.

But it was a matter of time until this happened, the exploit still works with
minor modifications, you just have to be smart about it.

------
untog
Not at all surprised. Anyone that used the app would be suspicious of the
backend behind it. Should have taken that $3bn while you had the chance.

~~~
jkelsey
Still too early to make those types of statements. I think it mostly depends
on how much the media plays this up.

~~~
X4
we are kind of the media.. and reddit is too.. I also believe that they made a
fatal error by not selling everything for $3bn then jumping aboard. To not
have anything to do with the "soon to come security issues". I mean they could
have mentioned it and downplay it as they did just recently. I don't think
that the new owner would take security more serious than them.

For us it was really really good that he rejected the offer! Because otherwise
we would see the trade market crash $3bn, guess who would have to pay loss..
we..

well, if he saw that coming, which I doubt, he would be a hero.

~~~
wrongc0ntinent
>I don't think that the new owner would take security more serious than them.

I don't know about that. Their dismissal was (at least framed as) "well that's
a lot of data, so it's not going to happen!"

Actual excerpt from their blog, on the 27th: "Theoretically, if someone were
able to upload a huge set of phone numbers, like every number in an area code,
or every possible number in the U.S., they could create a database of the
results and match usernames to phone numbers that way."

This is kind of a joke.

------
aabalkan
It's taking too much time to download each file even they're 40 MB. I wish
they put it on as torrent in the first place.

Regarding the leak, yeah, that actually happens when you focus on the product
but security and reliability of your system. Snapchat, Whatsapp and many
others are hacked numerous times and yet it still happens.

~~~
belluchan
I do not wish they would torrent this. People, think about it. Personal,
private phone numbers. Why would you want this information? Seriously the
comments here make me sad for humanity right now.

~~~
TylerE
Phone numbers are hardly private information.

~~~
coralreef
Hmm, I somewhat disagree. Private information is anything you don't want
public. By protocol, it isn't strictly private. But a phone number is
private/unknown until its known, which is how most of us prefer it.

For example, in implicit social code it is impolite to give away a friend's
phone number without asking them first.

~~~
TylerE
Seriously? Ever heard of whitepages.com?

~~~
coralreef
I don't think whitepages has every name and phone number ever created

~~~
21echoes
neither does snapchat

~~~
coralreef
Yeah, but snapchat isn't suppose to give your number out.

------
pedalpete
What does snapchatdb hope to accomplish by allowing people to download the db.
Just showing and proving that you've hacked the database should be enough to
get the company to respond. They're probably not hurting snapchat as much as
the potential damage to the people who's phone numbers and usernames are being
dowloaded.

~~~
obstacle1
Wasn't there a story posted right here on HN like a week ago where some people
notified snapchat of the vuln. and provided evidence, but Snapchat told them
to basically f __* off?

I'm not savvy enough to have the link at hand but I vividly remember that
happening.

~~~
jared314
Previous Discussions:

[https://news.ycombinator.com/item?id=6962329](https://news.ycombinator.com/item?id=6962329)
(6 days ago)

[https://news.ycombinator.com/item?id=6970036](https://news.ycombinator.com/item?id=6970036)
(4 days ago)

------
sschueller
I still don't understand why you would turn down $3 billion. How will you ever
make money with snapchat and how is it not a fad that will eventually die?

~~~
jpalomaki
Was it 3bn cash or 3bn with some conditions? Maybe they have already made
enough money (or are confident they will) and now want to get their name into
history by building great company.

~~~
sleepyhead
At the end of the day it is 3bn for an app that sends and shows photos for 10
seconds.

------
schappim
I wonder if this is real: "65039076XX","larrypage","Mountain View"

------
frasierman
Threw together a quick script to check if you're affected...
[http://robbiet.us/snapchat/](http://robbiet.us/snapchat/)

~~~
wahnfrieden
Ha, what. Your site says I'm leaked but gives a totally wrong phone #.

------
ateevchopra
They censored the last two digits of the phone numbers. And if you goto
google's password recovery option, it shows you the last three numbers of a
someone's phone number. Just saying.

~~~
lucb1e
Why do you even share your phone number with Google?

~~~
jodrellblank
[http://www.google.com/landing/2step/](http://www.google.com/landing/2step/)

~~~
lucb1e
2FA is pretty useless if you have a good password and simply mind the https
lock and domain when logging in. Also I wouldn't share anything with Google
that is sensitive enough that it needs 2FA at all.

------
cooper12
>For now, we have censored the last two digits of the phone numbers in order
to minimize spam and abuse. Feel free to contact us to ask for the uncensored
database. Under certain circumstances, we may agree to release it.

At least they had the tact to omit the complete phone numbers, but agreeing to
release them under certain conditions just seems malicious.

------
couchdive
The exploit was brought to snapchats attention. Snapchat said impossible! DB
is posted as proof.

------
pikachu_is_cool
Is there a torrent for this? I want to see if my phone number has been
compromised to I can take measures to change it.

~~~
Istof
CSV:
[https://mega.co.nz/#!dcUhWabJ!dgiGrQCbRm6RqWCssewbmWzfV48B_B...](https://mega.co.nz/#!dcUhWabJ!dgiGrQCbRm6RqWCssewbmWzfV48B_BXK3wppZOtKpuo)

SQL:
[https://mega.co.nz/#!QJklSRJA!WrVeARPvcYgyKI3KENiPu0A6hlRCLf...](https://mega.co.nz/#!QJklSRJA!WrVeARPvcYgyKI3KENiPu0A6hlRCLfDaYNt9v1l69RI)

------
nadaviv
For those who haven't noticed that, they are censoring the last two digits of
the phone numbers:

> For now, we have censored the last two digits of the phone numbers in order
> to minimize spam and abuse. Feel free to contact us to ask for the
> uncensored database. Under certain circumstances, we may agree to release
> it.

~~~
fletchowns
a.k.a. pay us some $ for it

~~~
eigenvalue
Since they give a bitcoin address, it's more likely that they want BTC. But
yeah, same idea.

------
vikp
I made a site to check if you are affected by this leak:
[http://www.snapcheck.org](http://www.snapcheck.org) . Happy new year,
everyone (although on a bad note...)

~~~
xixixao
This would be perfect for completing the database .)

~~~
vikp
I just open sourced the code:
[https://github.com/VikParuchuri/snapcheck](https://github.com/VikParuchuri/snapcheck)
. Can verify, nothing tricky going on.

------
jlgaddis
Download links were broken for me so I've mirrored them here (converted from
zip to bzip2):

CSV:
[http://evilrouters.net/schat.csv.bz2](http://evilrouters.net/schat.csv.bz2)

SQL:
[http://evilrouters.net/schat.sql.bz2](http://evilrouters.net/schat.sql.bz2)

~~~
kevinjones
Or just use port 8080 to bypass their Varnish server:

[http://www.snapchatdb.info:8080/schat.csv.zip](http://www.snapchatdb.info:8080/schat.csv.zip)
[http://www.snapchatdb.info:8080/schat.sql.zip](http://www.snapchatdb.info:8080/schat.sql.zip)

~~~
JacobIrwin
8080s aren't working, but jlgaddis's downloads are...

------
GigabyteCoin
Is anyone out there thinking that perhaps a larger social network might have
had some hand in this?

The first thing that came to mind was "oh boy, I'll bet this made Zuck's new
years eve!"

------
lightercontact
SnapchatDB here: Our hosting account has been suspended. For further contact
please use: snapchatdb@Safe-mail.net, or the original Bitmessage address
(BM-2cTPMALzgYTkM8A96g2iwTjGHQUuNSwamp)

You can confirm my identity by messaging the original Bitmessage address which
was captured by
[http://www.reddit.com/r/netsec/comments/1u4xss/snapchat_phon...](http://www.reddit.com/r/netsec/comments/1u4xss/snapchat_phone_number_database_leaked_46_million/ceekp51)

------
elnate
As a casual user, can someone explain the implications for me? They seem to
have my username and phone number combo; can they use these for nefarious
purposes?

~~~
alaskamiller
If you're not a hot underage teen girl, then prob not. But now it blows up the
spot for where a lot of teens are hanging out. Now it's another step to
getting to you if some creep wants to. Or take it to a grander scale, it
creates a viable link of who a person and their digital mask is.

That's kind of the thing about privacy. It's kind of slipping away, but if you
don't care that it is then it's prob cause it doesn't matter to you yet.

~~~
Sami_Lehtinen
If you're playing anonymous, you surely would also use burner phones and not
your main phone for that purpose. Same applies to identities, profiles and
hardware, any IDs, network connection and so on.

Because if I do have an alias, which is doing very shady things. I would make
it pretty sure, it's not going to be that easy to get it. When doing stuff
like that you want to be sure that there's "shared nothing" approach. So if
they hack your systems, your primary system won't contain any information
referring to the shady side and vise versa.

~~~
Crito
> _If you 're playing anonymous, you surely would also use burner phones and
> not your main phone for that purpose._

We are talking about teenagers sending pictures to each other, not weed
dealers in a prohibition state.

------
cdcarter
So the primary use for this database would be phishing, right? Or some attempt
at building a reverse cell phone number lookup database, assuming people have
reused usernames? My normal username was taken when I signed up for snapchat,
but I suppose you could use this to get quite a few cell number -> instagram
or twitter pairings?

------
smtddr
_> >The company was too reluctant at patching the exploit until they knew it
was too late_

Did they give Snapchat enough time to fix this before releasing this data?

NOTE: I've heavily edited this comment because when I first read the website I
thought snapchat ignored the people who found an exploit but re-reading, it's
no longer clear to me that releasing this data is not pure malice.

NOTE2: The link from couchdive's comment makes this more interesting -
[http://www.zdnet.com/researchers-publish-snapchat-code-
allow...](http://www.zdnet.com/researchers-publish-snapchat-code-allowing-
phone-number-matching-after-exploit-disclosures-ignored-7000024629/) \- but
still, the webpage hosting the data said the exploit was fixed, so it wasn't
ignored, so... I don't know what the purpose of releasing this data was.

~~~
belluchan
Why would you donate to these people? Because they're hurting Snapchat users?
What is wrong with the people posting in this thread like this is some kind of
good thing? Real people can be hurt by this.

~~~
w-ll
Maybe no one would ever send him snaps. Either Way I find it more disturbing
that an address he claims to own [1] is on this list [2]

1\.
[https://news.ycombinator.com/user?id=smtddr](https://news.ycombinator.com/user?id=smtddr)

2\.
[https://github.com/mikispag/bitiodine/blob/master/classifier...](https://github.com/mikispag/bitiodine/blob/master/classifier/cryptolocker_known.txt)

~~~
smtddr
Um, I just want to say that I have __NO IDEA__ why my BTC address is on that
list and I've never seen this git URL before in my life. That BTC address is
my deposit address on BTC-e.com. This address has only ever received 2.25
BTC[1] and this was purchased fair & square from coinbase.com[2] with my hard-
earned USD. I really do not know what in the world is going on or who put my
BTC-e.com address on this alleged cryptolocker's known list. I have absolutely
nothing to do with that software.

Pardon me while I go to BTC-e.com and have it generate a new address. I don't
need to be getting mixed up in this.

1\.
[https://blockchain.info/address/19ukXViVqQ2pVg63aeTmMNv6TBEZ...](https://blockchain.info/address/19ukXViVqQ2pVg63aeTmMNv6TBEZpFtVFo)

2\. [http://i.imgur.com/6EKJvX9.png](http://i.imgur.com/6EKJvX9.png)

~~~
w-ll
Well, word to the wise, don't use BTC-e as a wallet.

~~~
smtddr
I would have found it quite amusing/scary to suddenly see some huge balance on
my account. BTC-e.com sends emails for any account activity and I haven't seen
anything I didn't cause. Also, BTC-e.com is just too convenient not to use for
now. It's the quickest way for me to get litecoin until coinbase.com supports
it.

~~~
MiWDesktopHack
Did the snapchatdb.info guys change the donation address? Its now reporting as
1M7rREovDkdEh4mZrYNgcj1FECRknFLuRz

They have already got $1USD for this.
[https://blockchain.info/address/1M7rREovDkdEh4mZrYNgcj1FECRk...](https://blockchain.info/address/1M7rREovDkdEh4mZrYNgcj1FECRknFLuRz)

When i first read your post smtddr i got worried we had a collision! Ive found
the quality of blockchain auditing in 2013 highly inaccurate. I recently bring
attention to the case recently on reddit where someone 'chased' the SMP thief
through a tumbler and found... the 96k wallet allegedly owned by btc-e. Its a
shame if a non published address of yours has been tainted in someones
inaccurate blockchain analysis.

~~~
smtddr
w-ll was talking about the original BTC address in my profile being on the
known list for cryptolocker. The same address I linked to in my reply to
her/him. When you say "we", who are you?

Also, that whole reddit thread about chasing the SMP stolen coins I thought
was too hard to actually pull off. For example, I use coinbase to buy BTC, to
send to BTC-e.com, to buy Litecoins and ultimately store them in the offline
address that's in my HN profile. Can anyone show me the blockchain.info URLs
that would prove my actions? If the SMP people changed coin-types, that's how
it'd end up on BTC-e.com's wallet. In fact, maybe that same flawed logic is
how my BTC-e.com address ended up in that list - capturing addresses that
BTC-e.com uses for its customers or internal operations.

~~~
maxerickson
Please consider corresponding with the author of the Github repo to see if
they can figure out why that address was included in the list.

Based on the page for that tool (
[http://miki.it/articles/papers/#bitiodine](http://miki.it/articles/papers/#bitiodine)
), it looks like they would be interested to know of the failure.

~~~
smtddr
And done...
[https://github.com/mikispag/bitiodine/issues/3](https://github.com/mikispag/bitiodine/issues/3)

This whole incident reminds me of Reddit doxxing. This could have ended up
much worse for me. I'm just glad I found out this way instead of the police
requesting info from Google about my youtube account and gmail inbox then
busting down my door in the middle of the night.

------
jschmitz28
> For now, we have censored the last two digits of the phone numbers in order
> to minimize spam and abuse. Feel free to contact us to ask for the
> uncensored database. Under certain circumstances, we may agree to release
> it.

Why not just release the usernames and leave out the phone numbers?

------
jlgaddis
_NB:_ "For now, we have censored the last two digits of the phone numbers in
order to minimize spam and abuse. Feel free to contact us to ask for the
uncensored database. Under certain circumstances, we may agree to release it."

------
jrockway
I have list of all US phone numbers:

    
    
        000-000-0000
        000-000-0001
        ...

~~~
nswanberg
Yes, this is strange on all fronts. As far as I know names and land numbers
are still published in phone books, and a phone number isn't generally a very
interesting bit of information to have. And to the extent this information is
sensitive, why be so eager to spread it (beyond being a teenager and getting a
thrill)?

~~~
hkmurakami
1\. You can remove your phone number from phone books.

2\. Cell numbers aren't published in those books, which this affects.

2\. Land lines these days are somewhat separate from our lives. It's
relatively easy to ignore. Getting phishing texts (say, faking our banks,
since some -- including myself -- have some bank alerts texted to us) to our
cellphones could be quite harmful. If you send a million texts pretending to
be Chase, and say 50% of the numbers are legit cell phone numbers, and 20% of
people have chase accounts, and 0.1% of people fall for the phishing attempt,
then you get 1/10,000 people getting phished. That's 100 people out of a
million affected monetarily, and 500,000 people getting annoyed by the spam.

Obviously this is back of the envelope, but this is one reason it could
matter.

edit: a comment thread below mentions that the bottom two digits are hidden at
this moment but will be revealed for interested parties. That really smells
like the numbers will be sold to spam/phishing operations.

~~~
orik
You can't remove your phone number from already published phone books. You can
only omit yourself from later editions.

------
OedipusRex
This is what a sample looks like

"31755501XX","username","Indianapolis"

The XXs hide the last two digits of every number. The list is also massively
incomplete.

------
billsix
I wonder if this will adversely affect their revenue

------
mofity
could someone please post a torrent of this spreading the information as much
as possible it will become less important and more known

------
Ryel
Is it not odd that Snapchat has 5+ open job listings on their website, none of
which include security?

------
nhangen
What I want to know is what kind of asshole it takes to do things like this?

Great, Snapchat isn't secure, and they probably didn't give a damn when
notified of the vulnerability (not surprising, given their cavalier
attitudes), but why expose their audience in order to prove a point?

Not cool man.

~~~
nitrogen
Probably because someone else would have, or already has, and kept it secret
instead. What you don't know _can_ hurt you.

------
noclip
You mean to say a company that encrypts users' messages in ECB mode with a
fixed key hard-coded into the binary and which was publicly disclosed almost a
year ago and hasn't been changed isn't responsible with user data?

------
ebahnx
Is this a hoax? Has anyone attempted to verify the data with at least some
spot checks?

------
convoe
The database and download exclusively on convoe:
[http://convoe.com/topic/127/introducing-snapchat-
database](http://convoe.com/topic/127/introducing-snapchat-database)

~~~
plausibility
"exclusively" \- as opposed to those torrents, the mega mirrors and personal
mirrors provided by reddit and hn members, right?

------
disclosure
Check if your Snapchat account is leaked in the SnapchatDB release:
[https://dazzlepod.com/snapchat/](https://dazzlepod.com/snapchat/)

------
nighthawk24
I knew I shouldn't have signed up for Snapchat, never freaking used it, and
now my phone number-username identity has been leaked.

------
_RPM
What is the point of the areacodes table they provide. It has no relation to
the recors table. Also, I found my username in their.

------
boxy
I am interested in knowing if anyone who had deleted their SnapChat account,
preferably months ago, was listed in that database.

------
bierko
For some reason, all of the 617 area codes are labeled as "Southern Michigan",
but 617 is for Boston/Cambridge.

------
ufmace
Anyone else tried putting together some stats from the info?

    
    
                         name                     | areacode | count  
    	----------------------------------------------+----------+--------
    	 Chicago Suburbs                              | 815      | 215953
    	 Eastern Los Angeles                          | 909      | 215855
    	 San Fernando Valley                          | 818      | 205544
    	 Southern California                          | 951      | 200008
    	 Los Angeles                                  | 310      | 196183
    	 Northern Chicago Suburbs                     | 847      | 195925
    	 Denver-Boulder                               | 720      | 188285
    	 Downtown Los Angeles                         | 323      | 168565
    	 New York City                                | 347      | 166374
    	 New York City                                | 917      | 165420
    	 Fort Lauderdale                              | 954      | 153522
    	 Northern New York                            | 315      | 147447
    	 Buffalo                                      | 716      | 144939
    	 Southern Illinois                            | 618      | 144280
    	 Boulder-Denver                               | 303      | 139265
    	 Southern Michigan                            | 617      | 138821
    	 Northeastern New York State                  | 518      | 138043
    	 Champaign-Urbana                             | 217      | 135837
    	 Oakland                                      | 510      | 130531
    	 Miami                                        | 786      | 117906
    	 Westchester County, NY                       | 914      | 116632
    	 Western and Northern Colorado                | 970      | 115378
    	 San Francisco                                | 415      | 108883
    	 Miami                                        | 305      | 104415
    	 Southeastern Colorado                        | 719      | 102932
    	 Manhattan                                    | 646      |  96646
    	 Mountain View                                | 650      |  94430
    	 Chicago                                      | 312      |  70709
    	 Southwest Connecticut                        | 203      |  60629
    	 Bronx, Queens, Brooklyn                      | 718      |  51086
    	 Boston                                       | 857      |  41857
    	 Central Arizona                              | 480      |  35631
    	 South Carolina                               | 864      |  33034
    	 Eastern Ohio                                 | 330      |  32721
    	 Arkansas                                     | 870      |  28940
    	 Idaho                                        | 208      |  26827
    	 Southeastern Virginia                        | 757      |  21170
    	 Los Angeles                                  | 213      |  13705
    	 Southeastern Ohio                            | 740      |  11597
    	 Eastern San Francisco                        | 209      |  11356
    	 Seattle                                      | 206      |  10623
    	 Fort Lauderdale                              | 754      |  10131
    	 Maine                                        | 207      |  10126
    	 Northern Louisiana                           | 318      |   9842
    	 Indianapolis                                 | 317      |   8151
    	 Northwestern Arkansas                        | 479      |   7300
    	 Manitoba                                     | 204      |   7211
    	 Minnesota                                    | 320      |   7162
    	 Southeastern Michigan incl. Ann Arbor        | 734      |   7077
    	 Eastern part of Southern New Jersey          | 609      |   6952
    	 Pennsylvania                                 | 484      |   6314
    	 Manhattan                                    | 212      |   3970
    	 Pennsylvania                                 | 610      |   3930
    	 Southern New York State                      | 607      |   3437
    	 Central Florida                              | 321      |   3258
    	 New York City                                | 929      |   2651
    	 Florida                                      | 863      |   2642
    	 Southeastern California                      | 760      |   2523
    	 Southwestern Wisconsin                       | 608      |   2217
    	 Central Texas                                | 325      |   1542
    	 Central Georgia                              | 478      |   1396
    	 Western Central Alabama                      | 205      |    825
    	 Eastern Kentucky                             | 606      |    565
    	 DuPage County, Illinois                      | 331      |    512
    	 Eastern part of central New Jersey           | 732      |    507
    	 South Dakota                                 | 605      |    375
    	 Knoxville, Tennessee                         | 865      |    263
    	 Southwestern Connecticut                     | 475      |    253
    	 Eastern Iowa                                 | 319      |    198
    	 Georgia                                      | 470      |    163
    	 Minneapolis                                  | 612      |    103
    	 San Fernando Valley, LA                      | 747      |     84
    	 Canadian territories in the Arctic far north | 867      |     31
    	 Washington DC                                | 202      |      3
    	 Georgia                                      | 762      |      2
    	 Dallas                                       | 469      |      1
    

I wonder where they were getting the numbers to search by from. From how they
described the vulnerability, I would have thought they would just iterate
through all possible phone numbers. If they're doing that, it's strange how
there's exactly 1 number for the dallas area code.

------
pccampbell
This seems super reckless.

------
raingrove
If you have a SF Bay Area phone number, it's probably in there.

------
hkiely
It looks like they only bothered with most populated area codes.

------
meerita
I feel good i didn't get into the Snapchat train before.

------
_RPM
Did he just turn of his HTTP server? I get no response.

------
_RPM
Did he just stop his HTTP server? I get no response.

------
elwell
"This account has been suspended."

------
taternuts
is this a result of an actual hack, or just someone who used the snapchat
username->phone number to get 4.6?

------
bookface
These comments are disgusting. Why are you all trying to download the data?
Why are many of you trying to distribute it?

~~~
protomyth
I would imagine some of the people wanting to download the data are snapchat
users who are trying to find out if they (or people they know) have data is in
the file. No clue on the distribute part.

------
hackdoman
www(dot)mediafire(dot)com/download/73t434w3h55x5z4/Snapchat.zip

that is the whole file

------
hackdoman
www.mediafire.com/download/73t434w3h55x5z4/Snapchat.zip

real files right here

------
quantumpotato_
503 on download links

------
neom
My number is present.

------
elwell
redirects to localhost for me...

------
Ate
how do I check my data?

------
Ate
hi

------
stefan_kendall
This is only useful in wide-net fishing attacks, most of which I'm guessing no
one here would fall for.

Anyone interested in you particularly will quickly get your phone number,
email address, facebook profile, social security number, or whatever they want
if they're determined enough.

Even then, I'm not sure what information this database really provides that
could be used to gain some fraudulent or exploitive benefit.

~~~
pa5tabear
Can you really quickly get a social security number?

~~~
thirsteh
"I'm glad to let you know that you qualify for X healthcare coverage. Can I
just have your social security number and we'll send over the confirmation
documents?"

Yes, people fall for this kind of stuff all the time.

------
notastartup
How long until somebody releases an updated snapchat database linking
pinterest profile pictures? I mean if you chose a very unique username, and
went to [http://pinterest.com/username](http://pinterest.com/username), you'd
be able to discover what they possibly look like. It doesn't end there, their
email address is probably username@gmail.com too. simply googling the username
results in connecting their twitter? facebook? myspace? linkedin? full name,
more pictures, your friends, your interests, your likes. All in all, I would
have to say, this can be potentially a far bigger loss of privacy than just
your Snapchat account.

Damn that 3 billion dollar looks good about now.

------
mofity
has anyone fully download the list yet

------
belluchan
Looks like they are using WhoIsGuard to protect the domain whois information.
The terms of WhoIsGuard[1] include not violating the privacy of others:

> defame, abuse, harass, threaten or otherwise violate the legal rights (such
> as rights of privacy and publicity) of others;

I've sent WhoIsGuard an email. Hopefully they'll revoke service. Shame on the
people that published this private information. They aren't hurting just
Snapchat. Revealing personal information like this can cause real problems for
people.

[1] [http://www.whoisguard.com/legal-tos.asp](http://www.whoisguard.com/legal-
tos.asp)

~~~
sneak
> Shame on the people that published this private information.

That would be Snapchat.

Stop trying to censor stuff that's already out there.

[http://en.wikipedia.org/wiki/Streisand_effect](http://en.wikipedia.org/wiki/Streisand_effect)

~~~
rdl
Actually in this case the absolute best thing would be for Snapchat, Inc. to
go full court press against snapchatdb.info, as what is actually important
here is to communicate both the "snapchat security is a lie" message, and
"companies which flagrantly suck and then piss on those who report
vulnerabilities responsibly will suffer" message, rather than the actual
snapchat phone/username db. Streisand will help that more than "go to this
site which is really slow and download a huge file which you can't easily use
to find your own number or that of your friends" (without a minimum of "how to
use a computer" skill).

------
akosner
I have a theory. Last week there was a big story about how Facebook was “dead
and buried” because teens didn’t want to be on a service that their parents
had moved into. Now, when it comes to security, the parents care a lot more
than the kids. Could Snapchat be playing fast and loose with the security of
their user data as a way of scaring away the grownups?

This would be a clever ploy but for one damning fact. A large share of
Snapchat’s users are minor children. Could anyone, from the CEO of Snapchat to
the perpetrators of SnapchatDB really think that risking the broadcasting of
the phone numbers of 12-year-old girls and boys is a risk worth taking?

For more, see:
[http://www.forbes.com/sites/anthonykosner/2014/01/01/4-6-mil...](http://www.forbes.com/sites/anthonykosner/2014/01/01/4-6-million-
snapchat-usernames-and-phone-numbers-captured-by-api-exploit/)

~~~
Ryel
I HAVE a theory that a (not so)clever writer for Forbes is plugging his story
by planting misguided theories everywhere UPON which I plan to plant my
theories on his planted theories on snapchat CEO "rumor" theories.

