Well we almost made it through the first day of the new year without a major data breach; it got to about mid-afternoon my time then wammo! The breach count was off and racing.
I came to the conclusion that it is and, well, it is. The information at present seems to indicate that the data was obtained by using a simple enumeration technique against the API that sits behind the mobile apps.
Ask the mobile app about a phone get back a result with a username. Increment the phone number by one and repeat. Easy to consume, fast to enumerate and frequently poorly secured. Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.
What risks do leaked Snapchat database search and phone numbers pose? More than that though, the association of username to phone number starts to open doors to social engineering attacks: Oftentimes, usernames are unique enough to have a reasonable degree of confidence the definition of which will differ from case to casethat the same one in multiple locations does indeed belong to the same person.
Snapchat database search well there you go. You can extend this logic to many other breached accounts across many other entirely independent services that are tied together by common username. Of course not, at least not in most circumstances.
But it does give users in the breach the opportunity to consider what the impact may be. For some, a phone number is a personal piece of data they work hard to keep private and this breach may result in a heightened awareness of potential abuse.
It may result in exercising extra caution — particularly in the short term — with regards to potential attacks that leverage
Snapchat database search fact their online identities may now well have a unique phone number tied back to them.
The other angle is that when someone finds their account pwned, it brings the whole issue of trust and security on the web back to the front of their mind. This is a reminder for all of us. In order to make this data searchable, I had to extend the concept of searching by email such that you can search by any string.