It wasn’t the merriest of Christmases for Snapchat. A VentureBeat article claims that, last week – on December 25th, no less – a Australian research outfit called Gibson Security published its findings on a major security flaw with the Snapchat systems. The firm unveiled Snapchat’s API (application programming interface), effectively giving hackers the ability to match usernames to phone numbers.

That’s precisely what hackers did on New Year’s Eve, publishing a registry of 4.6 million Snapchat usernames and phone numbers on the internet, and creating a massive security oversight for the photo messaging application. Many Snapchat users have spent the few days since the leak browsing the list in search of their phone numbers and usernames, all in an effort to make sure that their account details have not been compromised.

Data leaks like this one aren’t exactly uncommon. In 2012, for example, LinkedIn, the social media website used primarily for professional networking, suffered a password leak that compromised many of its users’ profiles.

According to a report from TechCrunch, Snapchat was made aware of the vulnerability of its API back in August. When Gibson Research leaked information on how to access the API last week, they mocked Snapchat for not fixing the vulnerability despite having four months to do so and despite the fact that it would have taken about “ten lines of code.”

Not only did Snapchat fail to address the vulnerability when they were publicly notified of the problem in August, they also made little to no effort to prevent a major leak of user data after the API was exposed last week. In fact, the company actually published a blog post in the wake of the Christmas leak that may well have inspired and enabled hackers to expose user information.

“Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way,” the company said in the blog post. Hackers did just that on New Year’s Eve, and now 4.6 million usernames and phone numbers have been revealed to the internet as a result.

These aren’t the only signs of hubris over at the Snapchat offices. In yet another blog post, posted on January 2nd, the company said that it was addressing security vulnerabilities and updating its apps to prevent leaks in the future, but did not in any way apologize to its customers for the security oversights that allowed the data leak to take place in the first place. Earlier this year, Snapchat also rejected a $3 million acquisition offer from Facebook.