236 comments

[ 4.4 ms ] story [ 248 ms ] thread
(comment deleted)
(comment deleted)
No, we wouldn't. Don't post that shit here.
Can you still throw it up somewhere? May be recoverable.
It might be that the file didn't actually download fully. Chrome said mine completed but only about 9MB of the 40MB actually had downloaded.
(comment deleted)
(comment deleted)
It's taking too much time to download each file even they're 40 MB. I wish they put it on as torrent in the first place.

Regarding the leak, yeah, that actually happens when you focus on the product but security and reliability of your system. Snapchat, Whatsapp and many others are hacked numerous times and yet it still happens.

I do not wish they would torrent this. People, think about it. Personal, private phone numbers. Why would you want this information? Seriously the comments here make me sad for humanity right now.
Agreed. I get that a lot of these responses may be knee-jerk, but that doesn't excuse it.
Torrent or not, I want to see if any of my less tech-savvy friends are on the list so I can warn them even though I don't use Snapchat myself. It's much easier to convince them there's a real problem if I can say "Look, I can get your phone number and username from the Internet just like that" rather than explaining theoretical reasons why they're vulnerable.
Phone numbers are hardly private information.
it's not that - resolving who people are across many services needs lots of fields of info. The more the better the accuracy of the algorithms that find the correlations.
Hmm, I somewhat disagree. Private information is anything you don't want public. By protocol, it isn't strictly private. But a phone number is private/unknown until its known, which is how most of us prefer it.

For example, in implicit social code it is impolite to give away a friend's phone number without asking them first.

The gray area for that is sharing a business phone number of your friend that they share widely through business cards or their website. Though typically it ends up being an email introduction if you really care to connect someone with your friend.
Seriously? Ever heard of whitepages.com?
I don't think whitepages has every name and phone number ever created
neither does snapchat
Yeah, but snapchat isn't suppose to give your number out.
Disagree. I suspect they would fall under personal data in the European Union under the Data Protection Directive.
indeed. rmc is right.
>Why would you want this information? >Hacker News >Hacker
Why would you want this information?

Perhaps to see if one's own number is among those leaked?

leaking this data to the public could do more for us then ignoring it ;-)
leaking this data to the public could do more for us then ignoring it ;-)
>>The company was too reluctant at patching the exploit until they knew it was too late

Did they give Snapchat enough time to fix this before releasing this data?

NOTE: I've heavily edited this comment because when I first read the website I thought snapchat ignored the people who found an exploit but re-reading, it's no longer clear to me that releasing this data is not pure malice.

NOTE2: The link from couchdive's comment makes this more interesting - http://www.zdnet.com/researchers-publish-snapchat-code-allow... - but still, the webpage hosting the data said the exploit was fixed, so it wasn't ignored, so... I don't know what the purpose of releasing this data was.

Why would you donate to these people? Because they're hurting Snapchat users? What is wrong with the people posting in this thread like this is some kind of good thing? Real people can be hurt by this.
(comment deleted)
Maybe no one would ever send him snaps. Either Way I find it more disturbing that an address he claims to own [1] is on this list [2]

1. https://news.ycombinator.com/user?id=smtddr

2. https://github.com/mikispag/bitiodine/blob/master/classifier...

Um, I just want to say that I have _NO IDEA_ why my BTC address is on that list and I've never seen this git URL before in my life. That BTC address is my deposit address on BTC-e.com. This address has only ever received 2.25 BTC[1] and this was purchased fair & square from coinbase.com[2] with my hard-earned USD. I really do not know what in the world is going on or who put my BTC-e.com address on this alleged cryptolocker's known list. I have absolutely nothing to do with that software.

Pardon me while I go to BTC-e.com and have it generate a new address. I don't need to be getting mixed up in this.

1. https://blockchain.info/address/19ukXViVqQ2pVg63aeTmMNv6TBEZ...

2. http://i.imgur.com/6EKJvX9.png

Well, word to the wise, don't use BTC-e as a wallet.
I would have found it quite amusing/scary to suddenly see some huge balance on my account. BTC-e.com sends emails for any account activity and I haven't seen anything I didn't cause. Also, BTC-e.com is just too convenient not to use for now. It's the quickest way for me to get litecoin until coinbase.com supports it.
Did the snapchatdb.info guys change the donation address? Its now reporting as 1M7rREovDkdEh4mZrYNgcj1FECRknFLuRz

They have already got $1USD for this. https://blockchain.info/address/1M7rREovDkdEh4mZrYNgcj1FECRk...

When i first read your post smtddr i got worried we had a collision! Ive found the quality of blockchain auditing in 2013 highly inaccurate. I recently bring attention to the case recently on reddit where someone 'chased' the SMP thief through a tumbler and found... the 96k wallet allegedly owned by btc-e. Its a shame if a non published address of yours has been tainted in someones inaccurate blockchain analysis.

w-ll was talking about the original BTC address in my profile being on the known list for cryptolocker. The same address I linked to in my reply to her/him. When you say "we", who are you?

Also, that whole reddit thread about chasing the SMP stolen coins I thought was too hard to actually pull off. For example, I use coinbase to buy BTC, to send to BTC-e.com, to buy Litecoins and ultimately store them in the offline address that's in my HN profile. Can anyone show me the blockchain.info URLs that would prove my actions? If the SMP people changed coin-types, that's how it'd end up on BTC-e.com's wallet. In fact, maybe that same flawed logic is how my BTC-e.com address ended up in that list - capturing addresses that BTC-e.com uses for its customers or internal operations.

Please consider corresponding with the author of the Github repo to see if they can figure out why that address was included in the list.

Based on the page for that tool ( http://miki.it/articles/papers/#bitiodine ), it looks like they would be interested to know of the failure.

And done... https://github.com/mikispag/bitiodine/issues/3

This whole incident reminds me of Reddit doxxing. This could have ended up much worse for me. I'm just glad I found out this way instead of the police requesting info from Google about my youtube account and gmail inbox then busting down my door in the middle of the night.

Just to hoist things up thread, all your link boils down to is the software you link using a very inclusive heuristic (something like the size of a transaction with BTC-e).

So this particular 'accusations.txt' doesn't mean very much.

What does snapchatdb hope to accomplish by allowing people to download the db. Just showing and proving that you've hacked the database should be enough to get the company to respond. They're probably not hurting snapchat as much as the potential damage to the people who's phone numbers and usernames are being dowloaded.
Wasn't there a story posted right here on HN like a week ago where some people notified snapchat of the vuln. and provided evidence, but Snapchat told them to basically f* off?

I'm not savvy enough to have the link at hand but I vividly remember that happening.

Yes 6 days ago. The exploit was brought to snapchats attention since August and ignored and denied, so says the articles related to this.
according to the snapchatdb page, they've blurred the last two numbers of the phone numbers so as to not cause complete damage.
Looks like they are using WhoIsGuard to protect the domain whois information. The terms of WhoIsGuard[1] include not violating the privacy of others:

> defame, abuse, harass, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others;

I've sent WhoIsGuard an email. Hopefully they'll revoke service. Shame on the people that published this private information. They aren't hurting just Snapchat. Revealing personal information like this can cause real problems for people.

[1] http://www.whoisguard.com/legal-tos.asp

Hrm... it's New Years Eve and people have taken off early, and I suspect that WhoIsGuard doesn't have round the clock support coverage. Disclaimer: pure speculation, but I think its fair to say the timing was strategic.
> Shame on the people that published this private information.

That would be Snapchat.

Stop trying to censor stuff that's already out there.

http://en.wikipedia.org/wiki/Streisand_effect

Actually in this case the absolute best thing would be for Snapchat, Inc. to go full court press against snapchatdb.info, as what is actually important here is to communicate both the "snapchat security is a lie" message, and "companies which flagrantly suck and then piss on those who report vulnerabilities responsibly will suffer" message, rather than the actual snapchat phone/username db. Streisand will help that more than "go to this site which is really slow and download a huge file which you can't easily use to find your own number or that of your friends" (without a minimum of "how to use a computer" skill).
The website clearly states that the last 2 digits of the phone numbers are censored. You're free to do what you think is right, but in this case you're the one who is trying to get somebody's private information published.
> The website clearly states that the last 2 digits of the phone numbers are censored.

They also say:

> Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

which is, in my opinion, kind of messed up. (Unless I'm missing a reason why that would be helpful in any way.)

"Honey I SWEAR that isn't me."
If you think they registered using their real name and address then you are the delusional one.
(comment deleted)
(comment deleted)
Do not? Why would you help distribute the private information of others? Why?
(comment deleted)
I think if some private parties already have access to the info (people who have already downloaded the DB) then we're all better off having access to the list to see if we are on it or not.
To see if your own information has been leaked? So you can get a new number?
Why would you go about making a torrent?
Not at all surprised. Anyone that used the app would be suspicious of the backend behind it. Should have taken that $3bn while you had the chance.
Still too early to make those types of statements. I think it mostly depends on how much the media plays this up.
we are kind of the media.. and reddit is too.. I also believe that they made a fatal error by not selling everything for $3bn then jumping aboard. To not have anything to do with the "soon to come security issues". I mean they could have mentioned it and downplay it as they did just recently. I don't think that the new owner would take security more serious than them.

For us it was really really good that he rejected the offer! Because otherwise we would see the trade market crash $3bn, guess who would have to pay loss.. we..

well, if he saw that coming, which I doubt, he would be a hero.

>I don't think that the new owner would take security more serious than them.

I don't know about that. Their dismissal was (at least framed as) "well that's a lot of data, so it's not going to happen!"

Actual excerpt from their blog, on the 27th: "Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way."

This is kind of a joke.

> Because otherwise we would see the trade market crash $3bn A sale of SC hurts all other companies in the market? Hard to understand this posit.
Not to mention I don't think most of snapchats target audience even cares about this issue. My 20 year old sister certainly doesn't.
I'd be surprised if most of them are even aware of it, let alone care about it.
It's on the front page (below the fold) of Buzzfeed. I think it's gonna be a big deal. Privacy was a key selling point.
Unless it's changed recently, the phone number is user-supplied and I'm not sure if it's verified at all. They do claim that the phone number "will be stored as unique mathematical representations (or 'hashes')..." rather than plaintext, but I imagine if you know it's a non-salted phone number that's been hashed, it's pretty easy to brute force. But were they lying about hashing the phone numbers? I guess it doesn't matter if they hashed the phone numbers if they're going to expose an unlimited query API that can be brute-forced like this.
jaz27: Why is your comment grey?

Did they really claim phone numbers are hashed? If so, why has nobody else touched on this subject?

Posts get grayer due to downvotes. The more downvotes, the lighter the text will be.
Yes. I signed up in-app today (with a fake phone number) and that's a direct quote from the app.

No idea on the downvotes. I guess because, like I said, telling users you hash the phone numbers doesn't matter if you're using them to search for an unhashed userid. But they're implying to users that their phone numbers are secure because they're hashed, when it really doesn't matter.

Salts, in a cryptographic context, are considered to be public. Salting does not mitigate a brute force attack against a limited search space.
For those who haven't noticed that, they are censoring the last two digits of the phone numbers:

> For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

google password recovery may helps then ... ;P
a.k.a. pay us some $ for it
Since they give a bitcoin address, it's more likely that they want BTC. But yeah, same idea.
These comments are disgusting. Why are you all trying to download the data? Why are many of you trying to distribute it?
I would imagine some of the people wanting to download the data are snapchat users who are trying to find out if they (or people they know) have data is in the file. No clue on the distribute part.
Why should General Clapper have all the fun?
>For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

At least they had the tact to omit the complete phone numbers, but agreeing to release them under certain conditions just seems malicious.

The exploit was brought to snapchats attention. Snapchat said impossible! DB is posted as proof.
> For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

Why not just release the usernames and leave out the phone numbers?

I have list of all US phone numbers:

    000-000-0000
    000-000-0001
    ...
(comment deleted)
With an extra digit in the middle for security? :)
Yes, this is strange on all fronts. As far as I know names and land numbers are still published in phone books, and a phone number isn't generally a very interesting bit of information to have. And to the extent this information is sensitive, why be so eager to spread it (beyond being a teenager and getting a thrill)?
Do you agree that many people are more public online behind the anonymity of a username, compared with their name as listed in public phone books?
1. You can remove your phone number from phone books.

2. Cell numbers aren't published in those books, which this affects.

2. Land lines these days are somewhat separate from our lives. It's relatively easy to ignore. Getting phishing texts (say, faking our banks, since some -- including myself -- have some bank alerts texted to us) to our cellphones could be quite harmful. If you send a million texts pretending to be Chase, and say 50% of the numbers are legit cell phone numbers, and 20% of people have chase accounts, and 0.1% of people fall for the phishing attempt, then you get 1/10,000 people getting phished. That's 100 people out of a million affected monetarily, and 500,000 people getting annoyed by the spam.

Obviously this is back of the envelope, but this is one reason it could matter.

edit: a comment thread below mentions that the bottom two digits are hidden at this moment but will be revealed for interested parties. That really smells like the numbers will be sold to spam/phishing operations.

You can't remove your phone number from already published phone books. You can only omit yourself from later editions.
Do you have the list of all US phone numbers tied to Snapchat usernames? If not this is entirely irrelevant.
(comment deleted)
Cool... Someone else has a database of phone numbers associated with their snapchat usernames, previously assumed to be private, which is what this story is actually about.
They start with 200-200-0000.
The "first" NPA is 201, and from there the first assigned NXXes are 200, 202 and so on. 201-201 is unavailable. (According to the latest LERG update I have.)
Is this a hoax? Has anyone attempted to verify the data with at least some spot checks?
could someone please post a torrent of this spreading the information as much as possible it will become less important and more known
Possibly they shouldn't have pissed on the people who notified them of the vulnerability, and on the journalists who broke the story?

(aside from not being vulnerable to this in the first place, but that actually is a lot to ask. I still can't believe anyone relied on the Snapchat model of security more so than any other app, although from an ease of use, non-security perspective, sure, it's reasonable.)

For the record we don't know about SnapchatDB.

But it was a matter of time until this happened, the exploit still works with minor modifications, you just have to be smart about it.

is this a result of an actual hack, or just someone who used the snapchat username->phone number to get 4.6?
Is anyone out there thinking that perhaps a larger social network might have had some hand in this?

The first thing that came to mind was "oh boy, I'll bet this made Zuck's new years eve!"

has anyone fully download the list yet
(comment deleted)
I assume it was created by iterating through every valid US number.