On Christmas Eve, Australia-based Gibson Security warned SnapChat about possible exploits that can help hackers compromise the data - particularly matching user and display names to their phone numbers - of its users but the company just played down the allegations. As the world welcomed 2014, hackers made a noise louder than the fireworks by posting over 4.5 million usernames and their phone numbers online.
On January 2, the company announced through a statement that it will roll out an updated version of the app so users can opt out of being seen through its Find Friends feature. It also promised to implement improvements that will help prevent future abuse of its service.
About a week after disclosing the planned update, Snapchat finally said sorry for the data breach concurrent with the roll out of the updated Snapchat app.
"This morning we released a Snapchat update for Android and iOS that improves Find Friends functionality and allows Snapchatters to opt-out of linking their phone number with their username.This update also requires new Snapchatters to verify their phone number before using the Find Friends service," Team Snapchat wrote on the company's official blog.
"Our team continues to make improvements to the Snapchat service to prevent future attempts to abuse our API. We are sorry for any problems this issue may have caused you and we really appreciate your patience and support," it added.
Users can opt-out by going to the settings of the app and tapping "Mobile #" and turning on the option tagged as "Link username to mobile #."
Users and security experts have criticized Snapchat for not apologizing following the data breach. Prior to Gibson Security's warning before Christmas, the group also went public in August about the possible abuses against Snapchat's API. According to Snapchat, it implemented practices to address issues raised the first time. The company was also clearly not pleased when Gibson Security documented its API in public that might have further compromised its services.
Compromised usernames and their corresponding redacted phone numbers were published on SnapchatDB.info on December 31. The said website was immediately suspended but it clearly proved the point of the white-hat group that warned Snapchat.