That turned down $3bn ...
... is fading into the distance.
Hackers claim to have lifted millions of Snapchat usernames and phone numbers, apparently taking advantage of a vulnerability that the messaging service last week dismissed as mostly theoretical. A partially redacted database of 4.6 million usernames and phone numbers (minus two digits) - purportedly of Snapchat users - have …
Idiots, that is all.
For reference, an excellent new (and free) service that was launched recently to help people determine if their details have been included in this and other big data breaches:
Enter your email or snapchat username to see if you have been a victim of this and other data breaches (Adobe, Yahoo!, Sony, etc)
"Enter your email or snapchat username to see if you have been a victim of this and other data breaches (Adobe, Yahoo!, Sony, etc)"
Yeah right......enter valid details on an unknown website, that sounds like a clever plan!
Domain Name: HAVEIBEENPWNED.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS35.DOMAINCONTROL.COM
Name Server: NS36.DOMAINCONTROL.COM
Updated Date: 13-nov-2013
Creation Date: 13-nov-2013
Expiration Date: 13-nov-2014
If you're affected by the snapchat episode, don't enter you e-mail.
AFAIK (could be wrong) but reading the exploit in code and looking at their API the most detail it leaks is phone numbers, display name, username and whether the account is public/private, e-mails isn't part of it.
If you do enter your e-mail you will be leaking your own info. Who such checking sites are run by is irrelvant.
Well, my adobe@ username has obviously been "pwned". None of the others have, allegedly. At least according to that site.
However according to an utterly massive data dump I (and many others) got from the Reg a while ago, my email address for this place is comprehensively pwned. Coff. Lucky I have at least semi-sensible passwords, eh?
As for being all super scared about entering your details into that web site, it's been around for quite the long while now. It's being run by someone who presumably wants you to use it. Doing nefarious things with the stuff you type into the search box is not going to be conducive to that. Besides, exactly what is the owner going to do with your username, when s/he apparently already has raw data from umpteen leaks to choose from?
"Run by Troy Hunt who is a security researcher"
Like that's going to make all the difference in the world. I tried "firstname.lastname@example.org" and it appears that that entirely made up name had already been pawned at Adobe.
But there is good news: "email@example.com" is free from any pawnage. I'll be sure to use that one in the future...
>I tried "firstname.lastname@example.org" and it appears that that entirely made up name had already been pawned at Adobe.
Oh, how original. I'm sure you if tried email@example.com or one of the other top 100 made up email addresses you'd find them in commonly hacked databases. Even on sites that require a validation email doesn't mean your address is ever deleted from the server if it's not validated.
What's with all the downvotes?
The site is run by Troy Hunt who is a very well respected security researcher whose reputation is far too valuable for him to do anything screwy with the data people enter. Maybe I should of stated that in my original post.
He doesn't store the details you enter and even if he did, I'd trust him with my data over a lot of other companies, at least he understands the need for security and how to implement it.
I was just trying to offer some help so people can discover if their accounts have been compromised, think I won't bother next time!
I agree. It showed my spam-box email address, which I don't care about, was leaked by Adobe, together with the password I used on the site. There was zero reason to require an email address or account for what I had needed anyway, Adobe just insisted, like Codemasters before them, with the same result. CUNTS, the lot of them.
However, I guess a point is that you probably shouldn't need to use Hunt's site - you should assume your details are stolen, and act accordingly.
Errr, seeing as snapchat claim to have 30 million active accounts I wouldn't describe 4.6 million as the 'vast majority'. But hey, nothing wrong with talking up a story. Neither myself or a few random friends I checked are actually in the list thankfully. Having said that, its outrageous they knew about the issue and did nothing, with more time and effort they probably could have obtained most of the accounts.
They've already proven to be blindingly trustful of people on the internet, just claim to be a new internet payment company that deletes their banking details 6 seconds after the transaction and you can start extracting obscene amounts of cash from them.
I know that most of the users are teenagers living at home, but the same kind of parent that gives their kids a smartphone is also the same kind of idiot that gives them a credit card.
This post has been deleted by its author
Is this not more a terms of service violation* than a security problem? I don't use Snapchat and don't know their terms, but it appears the "hack" uses a provided API for its intended purpose, albeit "from a program" and at a high rate. If this runs against their TOS and they chose not to prevent it that is pretty sloppy on their part and risks customer irritation for going beyond what they thought based on the TOS acceptance that they clicked without reading any part of.
* Of course, in the US this might fall under the Computer Fraud and Abuse Act and be subject to prosecution by an occasional politically ambitious US Attorney
and they can't.
It isn't possible. There was a company in early 2000's trying to do this with web pages. It took me about 45 minutes to think about how to break it and 20 seconds demonstrate.
Of course it might be slightly easier now, given that you don't actually own or control your phone...
And what else? If I wanted to build up a secret database of names and phone numbers, I'd start with the phone book that BT still drop on my doorstep every other year. As the article stands, there really isn't anything to worry about here. Just a website operator to laugh at.