Snapchat CEO Evan Spiegel has finally addressed a New Year's hack that exposed millions of users' personal data.
The embarrassing breach followed warnings from an Internet security syndicate GibsonSec, which found flaws in Snapchat's software.
The flaw allowed anyone to abuse the app's 'find friends' function. With a database of millions of phone numbers, an intrepid hacker could match numbers that were attached to Snapchat accounts, and compile a database of usernames and phone numbers.
GibsonSec warned Los Angeles-based Snapchat of the vulnerability in August and posted it publicly over Christmas after never hearing from the company.
Then on New Year's Eve another hacker group took advantage of the security hole and released data on 4.6 million Snapchat users. That came after Snapchat downplayed the risk in a blog post.
Today, Spiegel talked to NBC's Carson Daly acknowledging the mess-up. "We thought we had done enough," Spiegel was quoted on the Today website.
Snapchat also posted a notice on its blog saying that it would update the app with a more secure version. The company also pointed out that users could opt out of linking their phone numbers to the find friend function.
However, Snapchat has not apologized for the data leak, and Spiegel appeared to want to move on from the incident. "I think in a business like this and a business that is moving so quickly, if you spend your time looking backwards, you're just going to kill yourself," Spiegel told Daly.
Of course, Snapchat is among the hottest apps for social networking, allowing users to send photos that erase themselves. The privacy from disappearing photos is among the key draws for the younger generation wary of preserving indiscretions for eternity online. The security breach has been viewed as a blow to Snapchat's credibility.
The team at GibsonSec, which uncovered the security flaw, said the database of usernames and numbers could be exploited by bad actors.
"This is a big deal because of Snapchat's primary demographic (13-23 years of age) and most usernames contain the user's full name, and the user often shares the same handle with other social networking websites like Instagram and Twitter," the group said in an email. "Someone could use this data to stalk someone, or potentially sell it to one of the many shady data firms, where it can be sold to some really bad people."
The group that released the list of millions of users is said not be connected to GibsonSec, and that group told The Verge that it has received requests to release the full, uncensored database.
The group posted the data to snapchatDB.info, but hid the last two digits of the phone numbers.
GibsonSec said that researchers, private investigators and attorneys have also contacted them for the unredacted data.