Hackers have posted the usernames and mobile phone numbers of 4.6 million US Snapchat account holders on a website called SnapchatDB.info.
Snapchat is a mobile app that allows users to send and receive "self-destructing" photos and videos.
But the last two digits of the users' phone numbers were censored and the website has been taken down, although a cached version is still available, according to the BBC.
The hack comes days after Australian firm Gibson Security warned that hackers could exploit vulnerabilities in the Snapchat app.
The hackers said they had exploited the security flaw highlighted by Gibson Security. "We used a modified version of gibsonsec's exploit/method," they were quoted as saying by Tech Crunch.
The hackers said their aim was to raise public awareness around the issue, and also put public pressure on Snapchat to get the exploit fixed.
More on mobile app security
- Securing mobile business apps
- Research reveals widespread mobile app hacking
- User-, app-centric security key in enterprise security architecture
- Where does security come into play with mobile app trends?
- Improving data and app security with SE Android
- Mitigate malicious apps with mobile device security training
- UK trust in mobile apps low, Isaca report reveals
“It is understandable that tech startups have limited resources, but security and privacy should not be a secondary goal. Security matters as much as user experience does,” they told Tech Crunch.
In a report published on 25 December 2013, Gibson Security warned that a vulnerability on the Snapchat app could be used to reveal the phone numbers of users.
The report said Snapchat had been alerted to this possibility four months ago, but had taken no steps to improve security.
Snapchat acknowledged the vulnerability in a blog post on 27 December, but said it had implemented “various safeguards” to protect user data.
The hackers who published the Snapchat user data said the vulnerability still exists, making it possible to harvest user data on a large scale.
Snapchat has yet to respond to requests for comment and information on what steps it plans to take to ensure user data is safe.