A security company reverse engineered Snapchat’s android client and found all the api endpoints (source).
Bigger issue: The published proof of concept of using “find friends” feature to find whether a phone number is registered on Snapchat or not, and if it is, then its associated username and location of the user.
Their claim was that despite informing Snapchat about the hole, Snapchat did nothing about it.
As expected, someone published data of 4.6M registered users (source) using the proof of concept provided. Snapchat responded saying that soon users will be able to opt-out of find friends feature.