Hackers downloaded and published the usernames and phone numbers of 4.6m users of popular app Snapchat.
Snapchat allows people to share pictures, which delete themselves after being viewed.
Its Find Friends feature allows users to upload their address book contacts, to find friends who are also using the service.
A website called SnapchatDB released the data, censoring the last two digits of the phone numbers.
The hack comes days after Australian firm, Gibson Security, warned of vulnerabilities in Snapchat’s code.
Gibson Security said it was not involved in the hack, although the hackers did exploit the security flaw pointed out by the company.
“We know nothing about SnapchatDB, but it was a matter of time till something like that happened,” Gibson Security tweeted.
The hackers were quoted by Tech Crunch as saying: “We used a modified version of gibsonsec’s exploit/method.”
Snapchat implemented more security following the disclosure, but those who have taken responsibility for the hack say that the app failed to protect its users.
SnapchatDB said: “Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.”
Snapchat’s founder Evan Spiegel – whose phone number was apparently included in the hack – tweeted that the company was currently “working with law enforcement” and will “update when we can”.
The company released a statement without an apology, with some, including Fortune’s Dan Primack, wondering if Spiegel should be fired.
Spiegel has seen the app grow to over than 10m active users, and in November turned down a $4bn offer from Facebook to buy the app.
Snapchat have since hired lobbyists Heather Podesta + Partners, who will work with the company “educating policymakers regarding the application’s operation and practice” – following a call by some for the Federal Trade Commission to investigate the breach.