It’s taken some sound and fury but Snapchat has finally said sorry for its December data breach which saw 4.6 million usernames and phone numbers leaked.

In a blog post today, Snapchat confirmed it has updated its Android and iOS apps to allow users to opt out of the Find Friends functionality which harvests the data that was leaked. It also notes that the new version of the feature requires new users to verify their phone number before using it.

Here’s the blog post in full:

Find Friends Improvements This morning we released a Snapchat update for Android and iOS that improves Find Friends functionality and allows Snapchatters to opt-out of linking their phone number with their username. This option is available in Settings > Mobile #. This update also requires new Snapchatters to verify their phone number before using the Find Friends service. Our team continues to make improvements to the Snapchat service to prevent future attempts to abuse our API. We are sorry for any problems this issue may have caused you and we really appreciate your patience and support. Love, Team Snapchat

In a post earlier this month, Snapchat blamed the data leak on ‘abuse’ of its API — although it did also acknowledge that the way it stores the information made it possible for a database of numbers to be used to sniff out usernames and match them up.

In today’s post it’s still going with the ‘API abuse’ line, but has now uttered the hardest word too: sorry.

Since details of the breach emerged, and Snapchat’s response to it unfolded, CEO Evan Spiegel has taken a lot of flak for being casual and cavalier instead of contrite.

Spiegel used the opportunity of an appearance on Today to avoid apologising, and instead said the company ‘thought it had done enough’. Which prompted some calls for him to fall on his sword. Instead of sacking himself, he’s evidently decided to apologise.

Beyond Spiegel’s earlier ‘not going to cry over spilt milk’ attitude to user data leaks, the breach has been hugely embarrassing for Snapchat because it ignored (and even scoffed at) warnings about how its systems could be exploited — only for the exploit to subsequently be carried out. Oops.

Let that be a lesson to app makers everywhere to care a lot more about user data security. And to underestimate hackers at your peril.