Hacker Newsnew | comments | show | ask | jobs | submit login
Snapchat Phone Number Database Leaked (snapchatdb.info)
398 points by lightcontact 573 days ago | 213 comments



The top comment on Reddit r/netsec's corresponding coverage has mirrors on Mega.co.nz for the files [1]

I couldn't find my own data in the set, and actually it seems like lots of entire area codes are missing.

Assuming `cat schat.csv | uniq | cut -c1-4 | wc -l` is the proper command, there are only 76 of 322 [2] US area codes represented.

It appears there are two Canadian area codes represented in the database: 867 and 204. There are also 248 US area codes which are not represented in the database. Assuming a relatively uniform distribution of phone numbers in the US (which is not at all a safe assumption), the average US snapchat user has better odds of not being in the list than being in it. Sampling from the set of my snapchat friends who are not in my area code, 3 of 13 can be found in the database.

If your phone number is in any of these states, you're not in the database: Alaska Delaware Hawaii Kansas Maryland Mississippi Missouri Montana Nebraska Nevada New Hampshire New Mexico North Carolina North Dakota Oklahoma Oregon Rhode Island Utah Vermont West Virginia Wyoming

[1] http://www.reddit.com/r/netsec/comments/1u4xss/snapchat_phon...

[2] I'm matching a regex against this list http://en.wikipedia.org/wiki/List_of_North_American_Numberin...

-----


Snapchat devs explained how to create the database on Dez 27th:

  Theoretically, if someone were able to upload a huge set 
  of phone numbers, like every number in an area code, or 
  every possible number in the U.S., they could create a 
  database of the results and match usernames to phone 
  numbers that way.
http://blog.snapchat.com/post/71353347590/finding-friends-wi...

omg

-----


Um..yeah..I just noticed that. That's REALLY embarrassing for them.

-----


I submitted that blog post here because it was so irritating. I wasn't daring anyone to do anything and had nothing to do with snapchatdb.

-----


Here is a video of guy hacking SnapChat and finding out Mark Zuckberg's logging info like phone#, email. The video was posted on Dec 26th. How come they did not fix this..

https://www.youtube.com/watch?v=JEWugKX98P0

-----


> How come they did not fix this..

How would you fix it? The app needs to know if your phone contacts are on snapchat, and if they are, what their usernames are. In other words, the API needs to exist.

-----


Don't allow bulk matching for one. Or require the same secret key with the phone number match that is required for other API actions.

-----


1.805.250.1351

-----


What purpose does posting that serve? I think we've already pretty clearly established the flaw is real. What does intruding on the personal life of an unrelated person have to do with it?

Do we really need rules saying "don't post other people's non-public personal details" like Reddit? Someone needs to tell you that?

-----


If it ever was his number, it's been changed by now.

-----


zucks cell#? probably want to delete that.

-----


rung for a minute then it ended on his side (no voicemail set up).

-----


You guys are huge cock suckers... You just upvoted a database leaking millions of people's phone number but when somebody posts Zuck's phone number... Oh no! You should delete that.

He's not a king guys.

-----


And while we're here, "cock sucker" is not an insult, and my fellow gay hackers and I would prefer if you didn't use it as one.

-----


And we wonder why no women are in tech...

-----


Do you know any women? Seriously, most of them are OK when calling assholes (like many of HN users) "cock suckers".

You guys need to go out more, since women are more than OK when people swear, you're not talking to toddlers here.

Now, this is a comment, not a fucking essay or interview (haha PG fucked up really bad huh? So bad he's gonna have a women only conference).

Now I sound like a troll, so I'll shut up, but seriously, women are OK with swearing (that includes all George Carlin's 7 words).

-----


why? can't women in your mind take a joke? The women I know are perfectly capable of hearing phrases like that, they aren't some fragile gender that need to be protected.

-----


thanks for speaking for your women (best?) friends for us. brave

-----


HN is not a monolith. You are implying hypocrisy where none necessarily exists.

The leaked database: doesn't have full phone numbers and I don't think it should have been posted either -- I didn't upvote it.

Nobody should have their personal contact details posted against their wishes. I do not particularly care about Mark Zuckerberg.

-----


The database is censored (XX instead of the last two numbers of each number)

-----


like other people are saying -- HN is news by committee. just try to post a joke on here one day & see how many rapid downvotes it gets if you ever need proof of how lame & uptight the HN crowd can be once they hit that 500 rep.

i posted a joke on a comment of someone going "This. A million times this." the other day cuz that is the most melodramatic, overused, annoying, lame textual meme... the joke was pretty innocuous & immediately got like 5 downvotes.

I don't mean to hate too hard cuz it is what it is, i dont care about my karma, & obv its good enough that i still read articles here but posters being annoying/hypocritical/oversensitive/humourless/feeling that they are the protectors of society... very common on HN. I think it is some facet of the nature of people thinking they are real sophisticated by reading HN for some odd reason (basing this on all the wannabe devs I know on social sites who make it a point to mention it constantly in posts like "my fav sites to procrastinate on"), whereas there are lots of higher-level programming communities out there who seem to have less of this self-seriousness.

that said, occasionally there is that nice moment of a few reasonable people chatting each other & introducing to tech they may have otherwise overlooked. I'm heavy into Clojure & the other day a Lisper on here pointed me to freenode to get community help rather than SO, for example. It's all percentages, I guess :-/

-----


feeling that they are the protectors of society...

Not society, just the SNR (https://en.wikipedia.org/wiki/Signal-to-noise_ratio).

-----


obvious logic, link to wiki for explanation of common term -- u my friend are due for about 5 upvotes in the HN chain of circular validation.

i understand it as a way for SNR sure, but mostly its just a way to fade the text of people you disagree with. it doesn't solve much for people who can skim, & it usually just makes me more curious about what got downvoted (some of the comments are very insightful but just pissed off those with normative opinion)

im just not into kool-aid drinking & the weird PG (harhar no pun intended) vibe of HN while downvoting & having this weird karma system smacks of lame culty passive aggression, which incidentally is much more offensive to me than actual aggression

-----


also i wasn't gonna say anything but can't help from chuckling about it -- i am an audio DSP engineer so by nature I've probably done more work/research concerning SNR than 99% of people on the planet ever will lol.

i didnt want to come of as indignant tho, its just a funny coincidence. you never quite know who you are condescending to on here

-----


I've worked with audio DSP, too. I think the comparison to audio SNR is appropriate. The wiki link was as much for other readers as for you or me.

-----


It had never occurred to me that cell phone operators would use area codes. In my small home country, there is basically one 'area code' per cell phone operator. First lesson learnt in 2014! :)

-----


All phone numbers in the North American Numbering Plan (NANP) are allocated first as area codes by region and then by prefix for smaller locations. Some states, like Wyoming, have a single area code (307) while metro areas, like Houston, can have multiple area codes (713, 281, 832, 346) all covering the same physical place. This is a holdover of calling party pays so that a caller will know where a given phone number "lives." This distinction has become less visible with the advent of local number portability and nationwide mobile roaming.

(The NANP covers Canada, the Northern Mariana Islands, the United States, and a large list of island nations in the North American area.)

-----


That doesn’t just apply to small countries. I was also unaware that mobile phone numbers could have area codes and I’m from Germany (where each mobile operator has one three digit code – but even that is becoming meaningless with legally required number portability from operator to operator).

-----


Less visible to people, though the way gsm works means that every call and text you receive entails a lookup to your number's original provider. Prefix allocations to mobile networks are static and they are required to return a new route if you've ported. Which means if a company leaves the market, someone has to take on their allocations or even non-current customers will lose connectivity. Or at least that was true last time a checked, 4 or so years ago. Kind of crazy.

-----


In my experience in the US, the carriers/operators have an area code or two, but it's in the local area code rather than regional area code.

10-digit example: XXX - YYY - zzzz

The leaked data area codes are represented by the regional/XXX block and the carriers are in the local/YYY block in the 10-digit example.

-----


In many countries the caller pays for the cellular airtime. You have to know how much your call is going to cost before you dial it, so a new area code is needed. In the US, the cell phone user pays for the airtime even for calls they receive, so a new area code was never needed.

-----


The only Canadian area codes are for Manitoba and the Far North. Not so bad :)

-----


On the grand scale yes. For those of us in Manitoba (or presumably, the far north), there's not too much solace in that fact.

-----


I think you meant

  cat schat.csv | cut -c1-4 | uniq | wc -l

-----


Oops. That's actually what I ran but I typed the wrong command I to the text box.

-----


It's also worth noting that some states have partial coverage. For example, all the area codes in Massachusetts are missing from the list, with the exception of "857" and "617" (both Boston area codes) but the latter is incorrectly labeled as "Southern Michigan".

-----


Bummer that Hawaii is not in the DB. For once I was actually hoping to see my data leaked somewhere aside from the Adobe incident. Dangit.

-----


Just like to remind everyone that snapchat was aware of this exploit and dismissive in regards to it.

http://www.theverge.com/2013/12/27/5249304/snapchat-dismisse...

-----


Heckuvajob, Brownie.

-----


CSV: magnet:?xt=urn:btih:bab9548c3770188c70d27ded9b22348f5b979713&dn=Snapch at+database+CSV&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80 &tr=udp%3A%2F%2Ftracker.publicbt.com%3A80&tr=udp%3A%2F%2Ftrack er.istole.it%3A6969&tr=udp%3A%2F%2Ftracker.ccc.de%3A80&tr=udp% 3A%2F%2Fopen.demonii.com%3A1337

SQL: magnet:? xt=urn:btih:f7b1cec6280edb8169d63550ba2dfb224df7810d&dn=Snapch at+database+SQL&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80 &tr=udp%3A%2F%2Ftracker.publicbt.com%3A80&tr=udp%3A%2F%2Ftrack er.istole.it%3A6969&tr=udp%3A%2F%2Ftracker.ccc.de%3A80&tr=udp% 3A%2F%2Fopen.demonii.com%3A1337

Both: magnet:? xt=urn:btih:fae9c0a8b2eee2f9cc31c713f21a4cda4083612b&dn=Snapch at+Database+CSV+%26amp%3B+SQL&tr=udp%3A%2F%2Ftracker.openbitto rrent.com%3A80&tr=udp%3A%2F%2Ftracker.publicbt.com%3A80&tr=udp %3A%2F%2Ftracker.istole.it%3A6969&tr=udp%3A%2F%2Ftracker.ccc.d e%3A80&tr=udp%3A%2F%2Fopen.demonii.com%3A1337

-----


That's crazy how some personnal infos, once leaked, become a public/underground data leaving no real way to repair. (I m thinking about leaks of other infos with an expiracy, or tier revoking, like oauth tokens)

-----


BLockchain roll-backs of leaked info?

/I have no idea what I am talking about :-)

-----


actually these links are bullshit. only PARTIAL NUMBERS. I have over 80 million US nembers myself and 20 million cellphones. I sell numbers cheap. Hit me up through LeadPro.net cheers!

-----


Possibly they shouldn't have pissed on the people who notified them of the vulnerability, and on the journalists who broke the story?

(aside from not being vulnerable to this in the first place, but that actually is a lot to ask. I still can't believe anyone relied on the Snapchat model of security more so than any other app, although from an ease of use, non-security perspective, sure, it's reasonable.)

-----


I guess I'm dating myself, but didn't we used to call that the phone book?

-----


Fuck, misclicked downvote (wanted to upvote). Really great how HN does not allow changing votes at least once. Sorry for that, but yeah good point.

Nowadays one or a few phone numbers are unique to you, which makes it linkable to other things. Linkability is something that breaks privacy, so if you don't want your full name to be known somewhere, it is important to be able to keep things separate. When your phone number goes public (e.g. resumé and snapchat), that anonymity is broken.

-----


Someone always does it for me, so here is a compensation up vote. I agree, a few mins of vote changing grace wod be nice.

-----


Setting aside the privacy of cell versus landline numbers, the phone book never had anything analogous to a Snapchat user name.

-----


Yeah, it had your actual name AND your address.

-----


I strongly disagree that your street address being linked to your name is the same as your pseudonymous snapchat username being linked to your cell phone number.

-----


I hope you're agreeing that the street address is way more private than a snapchat user name...

-----


I think the point is that we expect our phone numbers to identify us in the real world but don't expect them to point to our handles online. If I use the same username on Snapchat that I do for something embarrassing like, say, my tumblr, someone who knows me IRL can look me up and find my more private online presence. This is just as real an issue as the reverse scenario in which Internet stalkers find out my phone number or something.

Now generally it's advisable to use a unique handle (or your real name) for a service so closely tied to a piece of real life identification like your phone number, but I don't think a lot of people do it.

-----


One can always change street addresses. But it's a royal pain to create new usernames.

-----


at some point people started thinking that mobile phones somehow need to be more personal than land lines.

In the specific case though, it's as if you had already asked to be removed from the phone book (implicitly trusting the company), and then your number was published anyway.

-----


For the record we don't know about SnapchatDB.

But it was a matter of time until this happened, the exploit still works with minor modifications, you just have to be smart about it.

-----


Anyone else tried putting together some stats from the info?

                     name                     | areacode | count  
	----------------------------------------------+----------+--------
	 Chicago Suburbs                              | 815      | 215953
	 Eastern Los Angeles                          | 909      | 215855
	 San Fernando Valley                          | 818      | 205544
	 Southern California                          | 951      | 200008
	 Los Angeles                                  | 310      | 196183
	 Northern Chicago Suburbs                     | 847      | 195925
	 Denver-Boulder                               | 720      | 188285
	 Downtown Los Angeles                         | 323      | 168565
	 New York City                                | 347      | 166374
	 New York City                                | 917      | 165420
	 Fort Lauderdale                              | 954      | 153522
	 Northern New York                            | 315      | 147447
	 Buffalo                                      | 716      | 144939
	 Southern Illinois                            | 618      | 144280
	 Boulder-Denver                               | 303      | 139265
	 Southern Michigan                            | 617      | 138821
	 Northeastern New York State                  | 518      | 138043
	 Champaign-Urbana                             | 217      | 135837
	 Oakland                                      | 510      | 130531
	 Miami                                        | 786      | 117906
	 Westchester County, NY                       | 914      | 116632
	 Western and Northern Colorado                | 970      | 115378
	 San Francisco                                | 415      | 108883
	 Miami                                        | 305      | 104415
	 Southeastern Colorado                        | 719      | 102932
	 Manhattan                                    | 646      |  96646
	 Mountain View                                | 650      |  94430
	 Chicago                                      | 312      |  70709
	 Southwest Connecticut                        | 203      |  60629
	 Bronx, Queens, Brooklyn                      | 718      |  51086
	 Boston                                       | 857      |  41857
	 Central Arizona                              | 480      |  35631
	 South Carolina                               | 864      |  33034
	 Eastern Ohio                                 | 330      |  32721
	 Arkansas                                     | 870      |  28940
	 Idaho                                        | 208      |  26827
	 Southeastern Virginia                        | 757      |  21170
	 Los Angeles                                  | 213      |  13705
	 Southeastern Ohio                            | 740      |  11597
	 Eastern San Francisco                        | 209      |  11356
	 Seattle                                      | 206      |  10623
	 Fort Lauderdale                              | 754      |  10131
	 Maine                                        | 207      |  10126
	 Northern Louisiana                           | 318      |   9842
	 Indianapolis                                 | 317      |   8151
	 Northwestern Arkansas                        | 479      |   7300
	 Manitoba                                     | 204      |   7211
	 Minnesota                                    | 320      |   7162
	 Southeastern Michigan incl. Ann Arbor        | 734      |   7077
	 Eastern part of Southern New Jersey          | 609      |   6952
	 Pennsylvania                                 | 484      |   6314
	 Manhattan                                    | 212      |   3970
	 Pennsylvania                                 | 610      |   3930
	 Southern New York State                      | 607      |   3437
	 Central Florida                              | 321      |   3258
	 New York City                                | 929      |   2651
	 Florida                                      | 863      |   2642
	 Southeastern California                      | 760      |   2523
	 Southwestern Wisconsin                       | 608      |   2217
	 Central Texas                                | 325      |   1542
	 Central Georgia                              | 478      |   1396
	 Western Central Alabama                      | 205      |    825
	 Eastern Kentucky                             | 606      |    565
	 DuPage County, Illinois                      | 331      |    512
	 Eastern part of central New Jersey           | 732      |    507
	 South Dakota                                 | 605      |    375
	 Knoxville, Tennessee                         | 865      |    263
	 Southwestern Connecticut                     | 475      |    253
	 Eastern Iowa                                 | 319      |    198
	 Georgia                                      | 470      |    163
	 Minneapolis                                  | 612      |    103
	 San Fernando Valley, LA                      | 747      |     84
	 Canadian territories in the Arctic far north | 867      |     31
	 Washington DC                                | 202      |      3
	 Georgia                                      | 762      |      2
	 Dallas                                       | 469      |      1
I wonder where they were getting the numbers to search by from. From how they described the vulnerability, I would have thought they would just iterate through all possible phone numbers. If they're doing that, it's strange how there's exactly 1 number for the dallas area code.

-----


Not at all surprised. Anyone that used the app would be suspicious of the backend behind it. Should have taken that $3bn while you had the chance.

-----


Still too early to make those types of statements. I think it mostly depends on how much the media plays this up.

-----


Not to mention I don't think most of snapchats target audience even cares about this issue. My 20 year old sister certainly doesn't.

-----


I'd be surprised if most of them are even aware of it, let alone care about it.

-----


It's on the front page (below the fold) of Buzzfeed. I think it's gonna be a big deal. Privacy was a key selling point.

-----


we are kind of the media.. and reddit is too.. I also believe that they made a fatal error by not selling everything for $3bn then jumping aboard. To not have anything to do with the "soon to come security issues". I mean they could have mentioned it and downplay it as they did just recently. I don't think that the new owner would take security more serious than them.

For us it was really really good that he rejected the offer! Because otherwise we would see the trade market crash $3bn, guess who would have to pay loss.. we..

well, if he saw that coming, which I doubt, he would be a hero.

-----


>I don't think that the new owner would take security more serious than them.

I don't know about that. Their dismissal was (at least framed as) "well that's a lot of data, so it's not going to happen!"

Actual excerpt from their blog, on the 27th: "Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way."

This is kind of a joke.

-----


> Because otherwise we would see the trade market crash $3bn A sale of SC hurts all other companies in the market? Hard to understand this posit.

-----


Unless it's changed recently, the phone number is user-supplied and I'm not sure if it's verified at all. They do claim that the phone number "will be stored as unique mathematical representations (or 'hashes')..." rather than plaintext, but I imagine if you know it's a non-salted phone number that's been hashed, it's pretty easy to brute force. But were they lying about hashing the phone numbers? I guess it doesn't matter if they hashed the phone numbers if they're going to expose an unlimited query API that can be brute-forced like this.

-----


Salts, in a cryptographic context, are considered to be public. Salting does not mitigate a brute force attack against a limited search space.

-----


jaz27: Why is your comment grey?

Did they really claim phone numbers are hashed? If so, why has nobody else touched on this subject?

-----


Yes. I signed up in-app today (with a fake phone number) and that's a direct quote from the app.

No idea on the downvotes. I guess because, like I said, telling users you hash the phone numbers doesn't matter if you're using them to search for an unhashed userid. But they're implying to users that their phone numbers are secure because they're hashed, when it really doesn't matter.

-----


Posts get grayer due to downvotes. The more downvotes, the lighter the text will be.

-----


Or the $4bn. http://www.theverge.com/2013/11/15/5106950/google-snapchat-4...

-----


It's taking too much time to download each file even they're 40 MB. I wish they put it on as torrent in the first place.

Regarding the leak, yeah, that actually happens when you focus on the product but security and reliability of your system. Snapchat, Whatsapp and many others are hacked numerous times and yet it still happens.

-----


I do not wish they would torrent this. People, think about it. Personal, private phone numbers. Why would you want this information? Seriously the comments here make me sad for humanity right now.

-----


Torrent or not, I want to see if any of my less tech-savvy friends are on the list so I can warn them even though I don't use Snapchat myself. It's much easier to convince them there's a real problem if I can say "Look, I can get your phone number and username from the Internet just like that" rather than explaining theoretical reasons why they're vulnerable.

-----


Why would you want this information?

Perhaps to see if one's own number is among those leaked?

-----


Phone numbers are hardly private information.

-----


Hmm, I somewhat disagree. Private information is anything you don't want public. By protocol, it isn't strictly private. But a phone number is private/unknown until its known, which is how most of us prefer it.

For example, in implicit social code it is impolite to give away a friend's phone number without asking them first.

-----


The gray area for that is sharing a business phone number of your friend that they share widely through business cards or their website. Though typically it ends up being an email introduction if you really care to connect someone with your friend.

-----


Seriously? Ever heard of whitepages.com?

-----


I don't think whitepages has every name and phone number ever created

-----


neither does snapchat

-----


Yeah, but snapchat isn't suppose to give your number out.

-----


Disagree. I suspect they would fall under personal data in the European Union under the Data Protection Directive.

-----


indeed. rmc is right.

-----


it's not that - resolving who people are across many services needs lots of fields of info. The more the better the accuracy of the algorithms that find the correlations.

-----


Agreed. I get that a lot of these responses may be knee-jerk, but that doesn't excuse it.

-----


leaking this data to the public could do more for us then ignoring it ;-)

-----


>Why would you want this information? >Hacker News >Hacker

-----


That's not really the definition of hacker in regards to hacker news.

http://www.catb.org/jargon/html/H/hacker.html

-----


I'm implying that no real hacker sees such information as "off limits", especially when it's in such a readily, publicly available form.

-----


What does snapchatdb hope to accomplish by allowing people to download the db. Just showing and proving that you've hacked the database should be enough to get the company to respond. They're probably not hurting snapchat as much as the potential damage to the people who's phone numbers and usernames are being dowloaded.

-----


Wasn't there a story posted right here on HN like a week ago where some people notified snapchat of the vuln. and provided evidence, but Snapchat told them to basically f* off?

I'm not savvy enough to have the link at hand but I vividly remember that happening.

-----


Previous Discussions:

https://news.ycombinator.com/item?id=6962329 (6 days ago)

https://news.ycombinator.com/item?id=6970036 (4 days ago)

-----


Yes 6 days ago. The exploit was brought to snapchats attention since August and ignored and denied, so says the articles related to this.

-----


Just a quick Google search: http://guardianlv.com/2013/12/snapchat-ignores-possible-hack...

-----


according to the snapchatdb page, they've blurred the last two numbers of the phone numbers so as to not cause complete damage.

-----


I still don't understand why you would turn down $3 billion. How will you ever make money with snapchat and how is it not a fad that will eventually die?

-----


Was it 3bn cash or 3bn with some conditions? Maybe they have already made enough money (or are confident they will) and now want to get their name into history by building great company.

-----


At the end of the day it is 3bn for an app that sends and shows photos for 10 seconds.

-----


I wonder if this is real: "65039076XX","larrypage","Mountain View"

-----


Threw together a quick script to check if you're affected... http://robbiet.us/snapchat/

-----


Ha, what. Your site says I'm leaked but gives a totally wrong phone #.

-----


Thanks for this, I was just wondering if mine was in here.

-----


>For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

At least they had the tact to omit the complete phone numbers, but agreeing to release them under certain conditions just seems malicious.

-----


The exploit was brought to snapchats attention. Snapchat said impossible! DB is posted as proof.

-----


For those who haven't noticed that, they are censoring the last two digits of the phone numbers:

> For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

-----


a.k.a. pay us some $ for it

-----


Since they give a bitcoin address, it's more likely that they want BTC. But yeah, same idea.

-----


google password recovery may helps then ... ;P

-----


I made a site to check if you are affected by this leak: http://www.snapcheck.org . Happy new year, everyone (although on a bad note...)

-----


This would be perfect for completing the database .)

-----


I just open sourced the code: https://github.com/VikParuchuri/snapcheck . Can verify, nothing tricky going on.

-----


Download links were broken for me so I've mirrored them here (converted from zip to bzip2):

CSV: http://evilrouters.net/schat.csv.bz2

SQL: http://evilrouters.net/schat.sql.bz2

-----


Or just use port 8080 to bypass their Varnish server:

http://www.snapchatdb.info:8080/schat.csv.zip http://www.snapchatdb.info:8080/schat.sql.zip

-----


8080s aren't working, but jlgaddis's downloads are...

-----


Is anyone out there thinking that perhaps a larger social network might have had some hand in this?

The first thing that came to mind was "oh boy, I'll bet this made Zuck's new years eve!"

-----


SnapchatDB here: Our hosting account has been suspended. For further contact please use: snapchatdb@Safe-mail.net, or the original Bitmessage address (BM-2cTPMALzgYTkM8A96g2iwTjGHQUuNSwamp)

You can confirm my identity by messaging the original Bitmessage address which was captured by http://www.reddit.com/r/netsec/comments/1u4xss/snapchat_phon...

-----


As a casual user, can someone explain the implications for me? They seem to have my username and phone number combo; can they use these for nefarious purposes?

-----


Among other things, it means that the cell phones of people who have predictable user names are now very easy to discover. I don't use SnapChat, but if I did I would be patio11 on it. My cell is fairly closely guarded. You could imagine some people with similar situations who'd be at higher risk of misuse, because of a higher public profile, higher perceived payoff for contacting, notoriety, or demographic interest to people with poor impulse control.

-----


If you're not a hot underage teen girl, then prob not. But now it blows up the spot for where a lot of teens are hanging out. Now it's another step to getting to you if some creep wants to. Or take it to a grander scale, it creates a viable link of who a person and their digital mask is.

That's kind of the thing about privacy. It's kind of slipping away, but if you don't care that it is then it's prob cause it doesn't matter to you yet.

-----


If you're playing anonymous, you surely would also use burner phones and not your main phone for that purpose. Same applies to identities, profiles and hardware, any IDs, network connection and so on.

Because if I do have an alias, which is doing very shady things. I would make it pretty sure, it's not going to be that easy to get it. When doing stuff like that you want to be sure that there's "shared nothing" approach. So if they hack your systems, your primary system won't contain any information referring to the shady side and vise versa.

-----


> If you're playing anonymous, you surely would also use burner phones and not your main phone for that purpose.

We are talking about teenagers sending pictures to each other, not weed dealers in a prohibition state.

-----


So the primary use for this database would be phishing, right? Or some attempt at building a reverse cell phone number lookup database, assuming people have reused usernames? My normal username was taken when I signed up for snapchat, but I suppose you could use this to get quite a few cell number -> instagram or twitter pairings?

-----


> For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

Why not just release the usernames and leave out the phone numbers?

-----


I have list of all US phone numbers:

    000-000-0000
    000-000-0001
    ...

-----


Do you have the list of all US phone numbers tied to Snapchat usernames? If not this is entirely irrelevant.

-----


Yes, this is strange on all fronts. As far as I know names and land numbers are still published in phone books, and a phone number isn't generally a very interesting bit of information to have. And to the extent this information is sensitive, why be so eager to spread it (beyond being a teenager and getting a thrill)?

-----


1. You can remove your phone number from phone books.

2. Cell numbers aren't published in those books, which this affects.

2. Land lines these days are somewhat separate from our lives. It's relatively easy to ignore. Getting phishing texts (say, faking our banks, since some -- including myself -- have some bank alerts texted to us) to our cellphones could be quite harmful. If you send a million texts pretending to be Chase, and say 50% of the numbers are legit cell phone numbers, and 20% of people have chase accounts, and 0.1% of people fall for the phishing attempt, then you get 1/10,000 people getting phished. That's 100 people out of a million affected monetarily, and 500,000 people getting annoyed by the spam.

Obviously this is back of the envelope, but this is one reason it could matter.

edit: a comment thread below mentions that the bottom two digits are hidden at this moment but will be revealed for interested parties. That really smells like the numbers will be sold to spam/phishing operations.

-----


You can't remove your phone number from already published phone books. You can only omit yourself from later editions.

-----


Do you agree that many people are more public online behind the anonymity of a username, compared with their name as listed in public phone books?

-----


Cool... Someone else has a database of phone numbers associated with their snapchat usernames, previously assumed to be private, which is what this story is actually about.

-----


They start with 200-200-0000.

-----


The "first" NPA is 201, and from there the first assigned NXXes are 200, 202 and so on. 201-201 is unavailable. (According to the latest LERG update I have.)

-----


[deleted]

With an extra digit in the middle for security? :)

-----


NB: "For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it."

-----


This is what a sample looks like

"31755501XX","username","Indianapolis"

The XXs hide the last two digits of every number. The list is also massively incomplete.

-----


I wonder if this will adversely affect their revenue

-----


could someone please post a torrent of this spreading the information as much as possible it will become less important and more known

-----


They censored the last two digits of the phone numbers. And if you goto google's password recovery option, it shows you the last three numbers of a someone's phone number. Just saying.

-----


Why do you even share your phone number with Google?

-----


http://www.google.com/landing/2step/

-----


2FA is pretty useless if you have a good password and simply mind the https lock and domain when logging in. Also I wouldn't share anything with Google that is sensitive enough that it needs 2FA at all.

-----


Is there a torrent for this? I want to see if my phone number has been compromised to I can take measures to change it.

-----


CSV: https://mega.co.nz/#!dcUhWabJ!dgiGrQCbRm6RqWCssewbmWzfV48B_B...

SQL: https://mega.co.nz/#!QJklSRJA!WrVeARPvcYgyKI3KENiPu0A6hlRCLf...

-----


You could apparently check via https://dazzlepod.com/snapchat/ if you trust them.

-----


yes me to

-----


What I want to know is what kind of asshole it takes to do things like this?

Great, Snapchat isn't secure, and they probably didn't give a damn when notified of the vulnerability (not surprising, given their cavalier attitudes), but why expose their audience in order to prove a point?

Not cool man.

-----


Probably because someone else would have, or already has, and kept it secret instead. What you don't know can hurt you.

-----


Is it not odd that Snapchat has 5+ open job listings on their website, none of which include security?

-----


You mean to say a company that encrypts users' messages in ECB mode with a fixed key hard-coded into the binary and which was publicly disclosed almost a year ago and hasn't been changed isn't responsible with user data?

-----


Is this a hoax? Has anyone attempted to verify the data with at least some spot checks?

-----


The database and download exclusively on convoe: http://convoe.com/topic/127/introducing-snapchat-database

-----


"exclusively" - as opposed to those torrents, the mega mirrors and personal mirrors provided by reddit and hn members, right?

-----


Check if your Snapchat account is leaked in the SnapchatDB release: https://dazzlepod.com/snapchat/

-----


[deleted]

[deleted]

No, we wouldn't. Don't post that shit here.

-----


It might be that the file didn't actually download fully. Chrome said mine completed but only about 9MB of the 40MB actually had downloaded.

-----


Can you still throw it up somewhere? May be recoverable.

-----


I knew I shouldn't have signed up for Snapchat, never freaking used it, and now my phone number-username identity has been leaked.

-----


What is the point of the areacodes table they provide. It has no relation to the recors table. Also, I found my username in their.

-----


I am interested in knowing if anyone who had deleted their SnapChat account, preferably months ago, was listed in that database.

-----


For some reason, all of the 617 area codes are labeled as "Southern Michigan", but 617 is for Boston/Cambridge.

-----


[deleted]

I assume it was created by iterating through every valid US number.

-----


This seems super reckless.

-----


If you have a SF Bay Area phone number, it's probably in there.

-----


It looks like they only bothered with most populated area codes.

-----


I feel good i didn't get into the Snapchat train before.

-----


Did he just turn of his HTTP server? I get no response.

-----


Did he just stop his HTTP server? I get no response.

-----


"This account has been suspended."

-----


is this a result of an actual hack, or just someone who used the snapchat username->phone number to get 4.6?

-----


www(dot)mediafire(dot)com/download/73t434w3h55x5z4/Snapchat.zip

that is the whole file

-----


www.mediafire.com/download/73t434w3h55x5z4/Snapchat.zip

real files right here

-----


These comments are disgusting. Why are you all trying to download the data? Why are many of you trying to distribute it?

-----


I would imagine some of the people wanting to download the data are snapchat users who are trying to find out if they (or people they know) have data is in the file. No clue on the distribute part.

-----


Why should General Clapper have all the fun?

-----


How long until somebody releases an updated snapchat database linking pinterest profile pictures? I mean if you chose a very unique username, and went to http://pinterest.com/username, you'd be able to discover what they possibly look like. It doesn't end there, their email address is probably username@gmail.com too. simply googling the username results in connecting their twitter? facebook? myspace? linkedin? full name, more pictures, your friends, your interests, your likes. All in all, I would have to say, this can be potentially a far bigger loss of privacy than just your Snapchat account.

Damn that 3 billion dollar looks good about now.

-----


503 on download links

-----


My number is present.

-----


redirects to localhost for me...

-----


>>The company was too reluctant at patching the exploit until they knew it was too late

Did they give Snapchat enough time to fix this before releasing this data?

NOTE: I've heavily edited this comment because when I first read the website I thought snapchat ignored the people who found an exploit but re-reading, it's no longer clear to me that releasing this data is not pure malice.

NOTE2: The link from couchdive's comment makes this more interesting - http://www.zdnet.com/researchers-publish-snapchat-code-allow... - but still, the webpage hosting the data said the exploit was fixed, so it wasn't ignored, so... I don't know what the purpose of releasing this data was.

-----


For more info. http://www.zdnet.com/researchers-publish-snapchat-code-allow...

-----


Why would you donate to these people? Because they're hurting Snapchat users? What is wrong with the people posting in this thread like this is some kind of good thing? Real people can be hurt by this.

-----


Maybe no one would ever send him snaps. Either Way I find it more disturbing that an address he claims to own [1] is on this list [2]

1. https://news.ycombinator.com/user?id=smtddr

2. https://github.com/mikispag/bitiodine/blob/master/classifier...

-----


Um, I just want to say that I have _NO IDEA_ why my BTC address is on that list and I've never seen this git URL before in my life. That BTC address is my deposit address on BTC-e.com. This address has only ever received 2.25 BTC[1] and this was purchased fair & square from coinbase.com[2] with my hard-earned USD. I really do not know what in the world is going on or who put my BTC-e.com address on this alleged cryptolocker's known list. I have absolutely nothing to do with that software.

Pardon me while I go to BTC-e.com and have it generate a new address. I don't need to be getting mixed up in this.

1. https://blockchain.info/address/19ukXViVqQ2pVg63aeTmMNv6TBEZ...

2. http://i.imgur.com/6EKJvX9.png

-----


Well, word to the wise, don't use BTC-e as a wallet.

-----


I would have found it quite amusing/scary to suddenly see some huge balance on my account. BTC-e.com sends emails for any account activity and I haven't seen anything I didn't cause. Also, BTC-e.com is just too convenient not to use for now. It's the quickest way for me to get litecoin until coinbase.com supports it.

-----


Did the snapchatdb.info guys change the donation address? Its now reporting as 1M7rREovDkdEh4mZrYNgcj1FECRknFLuRz

They have already got $1USD for this. https://blockchain.info/address/1M7rREovDkdEh4mZrYNgcj1FECRk...

When i first read your post smtddr i got worried we had a collision! Ive found the quality of blockchain auditing in 2013 highly inaccurate. I recently bring attention to the case recently on reddit where someone 'chased' the SMP thief through a tumbler and found... the 96k wallet allegedly owned by btc-e. Its a shame if a non published address of yours has been tainted in someones inaccurate blockchain analysis.

-----


w-ll was talking about the original BTC address in my profile being on the known list for cryptolocker. The same address I linked to in my reply to her/him. When you say "we", who are you?

Also, that whole reddit thread about chasing the SMP stolen coins I thought was too hard to actually pull off. For example, I use coinbase to buy BTC, to send to BTC-e.com, to buy Litecoins and ultimately store them in the offline address that's in my HN profile. Can anyone show me the blockchain.info URLs that would prove my actions? If the SMP people changed coin-types, that's how it'd end up on BTC-e.com's wallet. In fact, maybe that same flawed logic is how my BTC-e.com address ended up in that list - capturing addresses that BTC-e.com uses for its customers or internal operations.

-----


Please consider corresponding with the author of the Github repo to see if they can figure out why that address was included in the list.

Based on the page for that tool ( http://miki.it/articles/papers/#bitiodine ), it looks like they would be interested to know of the failure.

-----


And done... https://github.com/mikispag/bitiodine/issues/3

This whole incident reminds me of Reddit doxxing. This could have ended up much worse for me. I'm just glad I found out this way instead of the police requesting info from Google about my youtube account and gmail inbox then busting down my door in the middle of the night.

-----


Just to hoist things up thread, all your link boils down to is the software you link using a very inclusive heuristic (something like the size of a transaction with BTC-e).

So this particular 'accusations.txt' doesn't mean very much.

-----


how do I check my data?

-----


hi

-----


This is only useful in wide-net fishing attacks, most of which I'm guessing no one here would fall for.

Anyone interested in you particularly will quickly get your phone number, email address, facebook profile, social security number, or whatever they want if they're determined enough.

Even then, I'm not sure what information this database really provides that could be used to gain some fraudulent or exploitive benefit.

-----


Can you really quickly get a social security number?

-----


"I'm glad to let you know that you qualify for X healthcare coverage. Can I just have your social security number and we'll send over the confirmation documents?"

Yes, people fall for this kind of stuff all the time.

-----


In many cases it's much easier than you'd expect. See e.g. http://www.heinz.cmu.edu/~acquisti/ssnstudy/ (TL;DR: "we show that it is possible to predict individual SSNs simply from publicly available data").

-----


ehrm in sweden, yes.. those people are so mad that they allow a reverse search!!! I made payment gateways for companies there and was surprised by that.

What's really sad is that, if all those phone numbers were already public, I guess nobody would have cared to create something like SnapChat in the first place..

-----


has anyone fully download the list yet

-----


[deleted]

Do not? Why would you help distribute the private information of others? Why?

-----


To see if your own information has been leaked? So you can get a new number?

-----


[deleted]

I think if some private parties already have access to the info (people who have already downloaded the DB) then we're all better off having access to the list to see if we are on it or not.

-----


Why would you go about making a torrent?

-----


Looks like they are using WhoIsGuard to protect the domain whois information. The terms of WhoIsGuard[1] include not violating the privacy of others:

> defame, abuse, harass, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others;

I've sent WhoIsGuard an email. Hopefully they'll revoke service. Shame on the people that published this private information. They aren't hurting just Snapchat. Revealing personal information like this can cause real problems for people.

[1] http://www.whoisguard.com/legal-tos.asp

-----


> Shame on the people that published this private information.

That would be Snapchat.

Stop trying to censor stuff that's already out there.

http://en.wikipedia.org/wiki/Streisand_effect

-----


Actually in this case the absolute best thing would be for Snapchat, Inc. to go full court press against snapchatdb.info, as what is actually important here is to communicate both the "snapchat security is a lie" message, and "companies which flagrantly suck and then piss on those who report vulnerabilities responsibly will suffer" message, rather than the actual snapchat phone/username db. Streisand will help that more than "go to this site which is really slow and download a huge file which you can't easily use to find your own number or that of your friends" (without a minimum of "how to use a computer" skill).

-----


The website clearly states that the last 2 digits of the phone numbers are censored. You're free to do what you think is right, but in this case you're the one who is trying to get somebody's private information published.

-----


> The website clearly states that the last 2 digits of the phone numbers are censored.

They also say:

> Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

which is, in my opinion, kind of messed up. (Unless I'm missing a reason why that would be helpful in any way.)

-----


"Honey I SWEAR that isn't me."

-----


Hrm... it's New Years Eve and people have taken off early, and I suspect that WhoIsGuard doesn't have round the clock support coverage. Disclaimer: pure speculation, but I think its fair to say the timing was strategic.

-----


If you think they registered using their real name and address then you are the delusional one.

-----


I have a theory. Last week there was a big story about how Facebook was “dead and buried” because teens didn’t want to be on a service that their parents had moved into. Now, when it comes to security, the parents care a lot more than the kids. Could Snapchat be playing fast and loose with the security of their user data as a way of scaring away the grownups?

This would be a clever ploy but for one damning fact. A large share of Snapchat’s users are minor children. Could anyone, from the CEO of Snapchat to the perpetrators of SnapchatDB really think that risking the broadcasting of the phone numbers of 12-year-old girls and boys is a risk worth taking?

For more, see: http://www.forbes.com/sites/anthonykosner/2014/01/01/4-6-mil...

-----


I HAVE a theory that a (not so)clever writer for Forbes is plugging his story by planting misguided theories everywhere UPON which I plan to plant my theories on his planted theories on snapchat CEO "rumor" theories.

-----


I have a theory that Mark Zuckerburg, fearing the demise of facebook, had his ninja assassins infiltrate SnapChat and compromised their security, hoping to drive teenagers back into the arms of facebook.

Why is my theory any less loony than yours?

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: