Mid December 2013, Researchers at Gibson Security published Snapchat code allowing phone numbers matching after the exploit disclosures were ignored as theoretical by SnapChat. It lloks like Hackers took GibSec disclosure more serious than SnapChat
On January 1, 2014, an anonymous user announced the release of SnapchatDB and 4.6 million usernames and matched phone numbers in a Hacker News post.
The Snapchat accounts - even those marked 'private' - were exposed in a database hack that Snapchat knew about for four months, ignored, then told press last week was only "theoretical."
The SnapchatDB website is gone, but the database was copied, torrented and mirrored (on Mega) widely prior to its removal.
Several websites immediately sprung up offering a tool for users to see if they're in the database leak. The source of the first and second disclosures, Gibson Security, created this Snapchat hack lookup tool.
The last two digits of each phone number in the hack dump were hidden. But SnapchatDB said full numbers would be revealed for interested parties, indicating the 4.6 million usernames and numbers will likely be sold to spam and phishing operations.
The linking of phone numbers to usernames in accounts from major cities within the United States and Canada is a private information disaster that could have been avoided if the company had acted when repeatedly warned.
According to Gibson Security, fixing the threat would have only cost Snapchat ten lines of code.
Snapchat joins a long legacy of companies denying responsible disclosure by security researchers, only to be embarrassed when users become victims of the exact targeted attacks whose warnings went ignored.
Hope this serves as a lesson to others! Don’t ignore when Security Professionals responsibly disclose the vulnerabilities to the respective companies and Act upon it before it is too late