Anatomy of a Breach

Anatomy of a Breach: Snapchat — 4.6 Million Usernames Scraped After Warnings Were Ignored

> series: anatomy_of_a_breach —— part: 061 —— target: snapchat —— records: 4,600,000 —— warning_ignored: yes<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2014 11 min read
data-breach snapchat api-security responsible-disclosure phone-numbers scraping series
Breach #061

Researchers warned them. Snapchat called it 'theoretical.' Then 4.6 million records were published.

On 1 January 2014, a group using the handle 'SnapchatDB' published a database containing the usernames and phone numbers of approximately 4.6 million Snapchat users via the site SnapchatDB.info. The data had been scraped by exploiting a vulnerability in Snapchat's 'Find Friends' API — a feature that allowed users to upload phone number lists and receive matching Snapchat usernames. By enumerating phone numbers systematically, attackers could map phone numbers to usernames at scale.

The vulnerability had been publicly disclosed by security research group Gibson Security in August 2013 — four months before the breach. Gibson Security had responsibly disclosed the issue to Snapchat and published a detailed technical analysis when Snapchat failed to act. Snapchat's response was to describe the vulnerability as 'theoretical' and downplay the risk. The New Year's Day data dump proved it was anything but theoretical.

The API Vulnerability
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Find Friends becomes Find Everyone.

The Snapchat API vulnerability was a classic example of the issues our API penetration testing identifies: an API endpoint that accepted bulk inputs without rate limiting, returned more information than intended (mapping phone numbers to usernames), and had no authentication controls to prevent automated scraping. The same vulnerability class — insecure API design enabling enumeration — that had exposed 114,000 AT&T iPad email addresses in 2010.

No Rate Limiting
The API allowed unlimited queries — enabling attackers to enumerate millions of phone numbers in automated fashion. Rate limiting is a fundamental API security control that our <a href="/penetration-testing/api">API testing</a> verifies on every engagement.
Responsible Disclosure Ignored
Gibson Security followed responsible disclosure practices — notifying Snapchat privately before publishing publicly. Snapchat's dismissal of the warning turned a managed vulnerability into a public breach. As a <a href="/penetration-testing">CREST-accredited provider</a>, we work within established disclosure frameworks to ensure vulnerabilities are remediated, not ignored.
Phone Number-Username Mapping
The leaked data mapped phone numbers to Snapchat usernames — enabling targeted phishing, social engineering, and deanonymisation of users who believed their Snapchat identity was separate from their real identity. For organisations, this demonstrates why API responses should follow the principle of least information.
API Security Is Application Security
In 2014, APIs were becoming the dominant interface for mobile applications. The Snapchat breach demonstrated that API security requires the same rigour as web application security — authentication, authorisation, rate limiting, input validation, and output filtering. Our <a href="/penetration-testing/api">API penetration testing</a> assesses all of these controls.
Lessons

When researchers find it, attackers are not far behind.

The Snapchat breach teaches two lessons: first, that API security vulnerabilities must be treated with the same urgency as any other security finding; and second, that responsible disclosure from security researchers is a gift, not a threat. Researchers who report vulnerabilities are doing the work that your own security testing should be doing. Dismissing their findings as 'theoretical' does not make the vulnerability go away — it makes the breach inevitable.

Our API penetration testing identifies the enumeration, scraping, and data exposure vulnerabilities that Snapchat ignored. Cyber Essentials establishes baseline security. SOC in a Box monitors for API abuse patterns including automated scraping. And UK Cyber Defence provides incident response when API vulnerabilities are exploited.

API Security

Snapchat ignored the warning. The breach followed. Have your APIs been tested?

Our <a href="/penetration-testing/api">API penetration testing</a> finds the enumeration, scraping, and data exposure vulnerabilities before researchers or attackers do.

Commission an API Test Next: Korea Credit Bureau
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 January 2015

Anatomy of a Breach: Moonpig — The API That Let Anyone Access Any Customer's Account

Breach #073. In January 2015, security researcher Paul Price publicly disclosed that Moonpig — the UK's largest personalised greeting card website — had an API that required no authentication whatsoever. Any user could access any other customer's account information — including names, addresses, phone numbers, dates of birth, and the last four digits of payment cards — simply by changing the customer ID number in API requests. Price had responsibly disclosed the vulnerability to Moonpig 17 months earlier. Moonpig had done nothing.

data-breach moonpig
12 min read
Anatomy of a Breach 31 July 2010

Anatomy of a Breach: The AT&T iPad Leak — 114,000 Email Addresses and the Line Between Research and Crime

Breach #019. In June 2010, security researchers from Goatse Security discovered that AT&T's website exposed the email addresses of approximately 114,000 early iPad 3G adopters — including White House staff, military officials, and media executives — through an insecure API that could be enumerated using publicly visible ICC-ID numbers. The incident ignited a fierce debate about the boundary between security research and criminal hacking.

data-breach att
11 min read
Anatomy of a Breach 31 July 2022

Anatomy of a Breach: Twitter — 5.4 Million Users' Phone Numbers Exposed Through an API Vulnerability

Breach #163. In July 2022, it was confirmed that a Twitter API vulnerability — reported through Twitter's bug bounty programme in January 2022 and patched — had been exploited before the fix to scrape the personal data (including phone numbers and email addresses) of approximately 5.4 million Twitter users. The scraped data was offered for sale on a hacking forum. A larger dataset of 200 million Twitter email addresses subsequently surfaced. The breach followed the identical pattern of API scraping vulnerabilities that had affected Facebook (533M, 2021) and LinkedIn (700M, 2021) — proving that API enumeration and scraping remain persistent, industry-wide vulnerabilities.

twitter api-vulnerability
11 min read
All Posts Get in Touch