I couldn't find my own data in the set, and actually it seems like lots of entire area codes are missing.
Assuming `cat schat.csv | uniq | cut -c1-4 | wc -l` is the proper command, there are only 76 of 322  US area codes represented.
It appears there are two Canadian area codes represented in the database: 867 and 204. There are also 248 US area codes which are not represented in the database. Assuming a relatively uniform distribution of phone numbers in the US (which is not at all a safe assumption), the average US snapchat user has better odds of not being in the list than being in it. Sampling from the set of my snapchat friends who are not in my area code, 3 of 13 can be found in the database.
If your phone number is in any of these states, you're not in the database: Alaska
 I'm matching a regex against this list http://en.wikipedia.org/wiki/List_of_North_American_Numberin...
Theoretically, if someone were able to upload a huge set
of phone numbers, like every number in an area code, or
every possible number in the U.S., they could create a
database of the results and match usernames to phone
numbers that way.
How would you fix it? The app needs to know if your phone contacts are on snapchat, and if they are, what their usernames are. In other words, the API needs to exist.
Do we really need rules saying "don't post other people's non-public personal details" like Reddit? Someone needs to tell you that?
He's not a king guys.
You guys need to go out more, since women are more than OK when people swear, you're not talking to toddlers here.
Now, this is a comment, not a fucking essay or interview (haha PG fucked up really bad huh? So bad he's gonna have a women only conference).
Now I sound like a troll, so I'll shut up, but seriously, women are OK with swearing (that includes all George Carlin's 7 words).
The leaked database: doesn't have full phone numbers and I don't think it should have been posted either -- I didn't upvote it.
Nobody should have their personal contact details posted against their wishes. I do not particularly care about Mark Zuckerberg.
i posted a joke on a comment of someone going "This. A million times this." the other day cuz that is the most melodramatic, overused, annoying, lame textual meme... the joke was pretty innocuous & immediately got like 5 downvotes.
I don't mean to hate too hard cuz it is what it is, i dont care about my karma, & obv its good enough that i still read articles here but posters being annoying/hypocritical/oversensitive/humourless/feeling that they are the protectors of society... very common on HN. I think it is some facet of the nature of people thinking they are real sophisticated by reading HN for some odd reason (basing this on all the wannabe devs I know on social sites who make it a point to mention it constantly in posts like "my fav sites to procrastinate on"), whereas there are lots of higher-level programming communities out there who seem to have less of this self-seriousness.
that said, occasionally there is that nice moment of a few reasonable people chatting each other & introducing to tech they may have otherwise overlooked. I'm heavy into Clojure & the other day a Lisper on here pointed me to freenode to get community help rather than SO, for example. It's all percentages, I guess :-/
Not society, just the SNR (https://en.wikipedia.org/wiki/Signal-to-noise_ratio).
i understand it as a way for SNR sure, but mostly its just a way to fade the text of people you disagree with. it doesn't solve much for people who can skim, & it usually just makes me more curious about what got downvoted (some of the comments are very insightful but just pissed off those with normative opinion)
im just not into kool-aid drinking & the weird PG (harhar no pun intended) vibe of HN while downvoting & having this weird karma system smacks of lame culty passive aggression, which incidentally is much more offensive to me than actual aggression
i didnt want to come of as indignant tho, its just a funny coincidence. you never quite know who you are condescending to on here
(The NANP covers Canada, the Northern Mariana Islands, the United States, and a large list of island nations in the North American area.)
10-digit example: XXX - YYY - zzzz
The leaked data area codes are represented by the regional/XXX block and the carriers are in the local/YYY block in the 10-digit example.
cat schat.csv | cut -c1-4 | uniq | wc -l
SQL: magnet:? xt=urn:btih:f7b1cec6280edb8169d63550ba2dfb224df7810d&dn=Snapch at+database+SQL&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80 &tr=udp%3A%2F%2Ftracker.publicbt.com%3A80&tr=udp%3A%2F%2Ftrack er.istole.it%3A6969&tr=udp%3A%2F%2Ftracker.ccc.de%3A80&tr=udp% 3A%2F%2Fopen.demonii.com%3A1337
Both: magnet:? xt=urn:btih:fae9c0a8b2eee2f9cc31c713f21a4cda4083612b&dn=Snapch at+Database+CSV+%26amp%3B+SQL&tr=udp%3A%2F%2Ftracker.openbitto rrent.com%3A80&tr=udp%3A%2F%2Ftracker.publicbt.com%3A80&tr=udp %3A%2F%2Ftracker.istole.it%3A6969&tr=udp%3A%2F%2Ftracker.ccc.d e%3A80&tr=udp%3A%2F%2Fopen.demonii.com%3A1337
/I have no idea what I am talking about :-)
(aside from not being vulnerable to this in the first place, but that actually is a lot to ask. I still can't believe anyone relied on the Snapchat model of security more so than any other app, although from an ease of use, non-security perspective, sure, it's reasonable.)
Nowadays one or a few phone numbers are unique to you, which makes it linkable to other things. Linkability is something that breaks privacy, so if you don't want your full name to be known somewhere, it is important to be able to keep things separate. When your phone number goes public (e.g. resumé and snapchat), that anonymity is broken.
Now generally it's advisable to use a unique handle (or your real name) for a service so closely tied to a piece of real life identification like your phone number, but I don't think a lot of people do it.
In the specific case though, it's as if you had already asked to be removed from the phone book (implicitly trusting the company), and then your number was published anyway.
But it was a matter of time until this happened, the exploit still works with minor modifications, you just have to be smart about it.
For us it was really really good that he rejected the offer! Because otherwise we would see the trade market crash $3bn, guess who would have to pay loss.. we..
well, if he saw that coming, which I doubt, he would be a hero.
I don't know about that. Their dismissal was (at least framed as) "well that's a lot of data, so it's not going to happen!"
Actual excerpt from their blog, on the 27th: "Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way."
This is kind of a joke.
Did they really claim phone numbers are hashed? If so, why has nobody else touched on this subject?
No idea on the downvotes. I guess because, like I said, telling users you hash the phone numbers doesn't matter if you're using them to search for an unhashed userid. But they're implying to users that their phone numbers are secure because they're hashed, when it really doesn't matter.
Regarding the leak, yeah, that actually happens when you focus on the product but security and reliability of your system. Snapchat, Whatsapp and many others are hacked numerous times and yet it still happens.
Perhaps to see if one's own number is among those leaked?
For example, in implicit social code it is impolite to give away a friend's phone number without asking them first.
I'm not savvy enough to have the link at hand but I vividly remember that happening.
https://news.ycombinator.com/item?id=6962329 (6 days ago)
https://news.ycombinator.com/item?id=6970036 (4 days ago)
At least they had the tact to omit the complete phone numbers, but agreeing to release them under certain conditions just seems malicious.
> For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.
The first thing that came to mind was "oh boy, I'll bet this made Zuck's new years eve!"
You can confirm my identity by messaging the original Bitmessage address which was captured by http://www.reddit.com/r/netsec/comments/1u4xss/snapchat_phon...
That's kind of the thing about privacy. It's kind of slipping away, but if you don't care that it is then it's prob cause it doesn't matter to you yet.
Because if I do have an alias, which is doing very shady things. I would make it pretty sure, it's not going to be that easy to get it. When doing stuff like that you want to be sure that there's "shared nothing" approach. So if they hack your systems, your primary system won't contain any information referring to the shady side and vise versa.
We are talking about teenagers sending pictures to each other, not weed dealers in a prohibition state.
Did they give Snapchat enough time to fix this before releasing this data?
NOTE: I've heavily edited this comment because when I first read the website I thought snapchat ignored the people who found an exploit but re-reading, it's no longer clear to me that releasing this data is not pure malice.
NOTE2: The link from couchdive's comment makes this more interesting - http://www.zdnet.com/researchers-publish-snapchat-code-allow... - but still, the webpage hosting the data said the exploit was fixed, so it wasn't ignored, so... I don't know what the purpose of releasing this data was.
Pardon me while I go to BTC-e.com and have it generate a new address. I don't need to be getting mixed up in this.
They have already got $1USD for this.
When i first read your post smtddr i got worried we had a collision!
Ive found the quality of blockchain auditing in 2013 highly inaccurate. I recently bring attention to the case recently on reddit where someone 'chased' the SMP thief through a tumbler and found... the 96k wallet allegedly owned by btc-e.
Its a shame if a non published address of yours has been tainted in someones inaccurate blockchain analysis.
Also, that whole reddit thread about chasing the SMP stolen coins I thought was too hard to actually pull off. For example, I use coinbase to buy BTC, to send to BTC-e.com, to buy Litecoins and ultimately store them in the offline address that's in my HN profile. Can anyone show me the blockchain.info URLs that would prove my actions? If the SMP people changed coin-types, that's how it'd end up on BTC-e.com's wallet. In fact, maybe that same flawed logic is how my BTC-e.com address ended up in that list - capturing addresses that BTC-e.com uses for its customers or internal operations.
Based on the page for that tool ( http://miki.it/articles/papers/#bitiodine ), it looks like they would be interested to know of the failure.
This whole incident reminds me of Reddit doxxing. This could have ended up much worse for me. I'm just glad I found out this way instead of the police requesting info from Google about my youtube account and gmail inbox then busting down my door in the middle of the night.
So this particular 'accusations.txt' doesn't mean very much.
Why not just release the usernames and leave out the phone numbers?
2. Cell numbers aren't published in those books, which this affects.
2. Land lines these days are somewhat separate from our lives. It's relatively easy to ignore. Getting phishing texts (say, faking our banks, since some -- including myself -- have some bank alerts texted to us) to our cellphones could be quite harmful. If you send a million texts pretending to be Chase, and say 50% of the numbers are legit cell phone numbers, and 20% of people have chase accounts, and 0.1% of people fall for the phishing attempt, then you get 1/10,000 people getting phished. That's 100 people out of a million affected monetarily, and 500,000 people getting annoyed by the spam.
Obviously this is back of the envelope, but this is one reason it could matter.
edit: a comment thread below mentions that the bottom two digits are hidden at this moment but will be revealed for interested parties. That really smells like the numbers will be sold to spam/phishing operations.
The XXs hide the last two digits of every number. The list is also massively incomplete.
Great, Snapchat isn't secure, and they probably didn't give a damn when notified of the vulnerability (not surprising, given their cavalier attitudes), but why expose their audience in order to prove a point?
Not cool man.
name | areacode | count
Chicago Suburbs | 815 | 215953
Eastern Los Angeles | 909 | 215855
San Fernando Valley | 818 | 205544
Southern California | 951 | 200008
Los Angeles | 310 | 196183
Northern Chicago Suburbs | 847 | 195925
Denver-Boulder | 720 | 188285
Downtown Los Angeles | 323 | 168565
New York City | 347 | 166374
New York City | 917 | 165420
Fort Lauderdale | 954 | 153522
Northern New York | 315 | 147447
Buffalo | 716 | 144939
Southern Illinois | 618 | 144280
Boulder-Denver | 303 | 139265
Southern Michigan | 617 | 138821
Northeastern New York State | 518 | 138043
Champaign-Urbana | 217 | 135837
Oakland | 510 | 130531
Miami | 786 | 117906
Westchester County, NY | 914 | 116632
Western and Northern Colorado | 970 | 115378
San Francisco | 415 | 108883
Miami | 305 | 104415
Southeastern Colorado | 719 | 102932
Manhattan | 646 | 96646
Mountain View | 650 | 94430
Chicago | 312 | 70709
Southwest Connecticut | 203 | 60629
Bronx, Queens, Brooklyn | 718 | 51086
Boston | 857 | 41857
Central Arizona | 480 | 35631
South Carolina | 864 | 33034
Eastern Ohio | 330 | 32721
Arkansas | 870 | 28940
Idaho | 208 | 26827
Southeastern Virginia | 757 | 21170
Los Angeles | 213 | 13705
Southeastern Ohio | 740 | 11597
Eastern San Francisco | 209 | 11356
Seattle | 206 | 10623
Fort Lauderdale | 754 | 10131
Maine | 207 | 10126
Northern Louisiana | 318 | 9842
Indianapolis | 317 | 8151
Northwestern Arkansas | 479 | 7300
Manitoba | 204 | 7211
Minnesota | 320 | 7162
Southeastern Michigan incl. Ann Arbor | 734 | 7077
Eastern part of Southern New Jersey | 609 | 6952
Pennsylvania | 484 | 6314
Manhattan | 212 | 3970
Pennsylvania | 610 | 3930
Southern New York State | 607 | 3437
Central Florida | 321 | 3258
New York City | 929 | 2651
Florida | 863 | 2642
Southeastern California | 760 | 2523
Southwestern Wisconsin | 608 | 2217
Central Texas | 325 | 1542
Central Georgia | 478 | 1396
Western Central Alabama | 205 | 825
Eastern Kentucky | 606 | 565
DuPage County, Illinois | 331 | 512
Eastern part of central New Jersey | 732 | 507
South Dakota | 605 | 375
Knoxville, Tennessee | 865 | 263
Southwestern Connecticut | 475 | 253
Eastern Iowa | 319 | 198
Georgia | 470 | 163
Minneapolis | 612 | 103
San Fernando Valley, LA | 747 | 84
Canadian territories in the Arctic far north | 867 | 31
Washington DC | 202 | 3
Georgia | 762 | 2
Dallas | 469 | 1
that is the whole file
real files right here
Anyone interested in you particularly will quickly get your phone number, email address, facebook profile, social security number, or whatever they want if they're determined enough.
Even then, I'm not sure what information this database really provides that could be used to gain some fraudulent or exploitive benefit.
Yes, people fall for this kind of stuff all the time.
What's really sad is that, if all those phone numbers were already public, I guess nobody would have cared to create something like SnapChat in the first place..
Damn that 3 billion dollar looks good about now.
> defame, abuse, harass, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others;
I've sent WhoIsGuard an email. Hopefully they'll revoke service. Shame on the people that published this private information. They aren't hurting just Snapchat. Revealing personal information like this can cause real problems for people.
That would be Snapchat.
Stop trying to censor stuff that's already out there.
They also say:
> Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.
which is, in my opinion, kind of messed up. (Unless I'm missing a reason why that would be helpful in any way.)
This would be a clever ploy but for one damning fact. A large share of Snapchat’s users are minor children. Could anyone, from the CEO of Snapchat to the perpetrators of SnapchatDB really think that risking the broadcasting of the phone numbers of 12-year-old girls and boys is a risk worth taking?
For more, see: http://www.forbes.com/sites/anthonykosner/2014/01/01/4-6-mil...
Why is my theory any less loony than yours?