An unsecured database containing the private contact information of millions of Instagram influencer, celebrities and brand accounts have been discovered and is said to have included personal information such as phone numbers and email addresses. The database was supposed to be unprotected, and anyone could have access to the plethora of sensitive information that it contains.
The discovery was first reported by Zack Whittaker from Tech Crunch and said that cybersecurity researcher Anurag Sen discovered the exposed and unprotected database, hosted by Amazon Web Services. According to the initial report, there were already 49 million records in the database and seemed to have been growing by the hour.
In hindsight, each record in the database contained publicly listed data scraped from influencer, celebrity, and brand Instagram accounts including their bio, profile picture, their follower count, verification status, and their location by city and country. However, the database also contained private contact information, including email address and phone number.
Several high profile influencers and celebrities were found in the database, including some prominent beauty and fashion bloggers, food bloggers, celebrities, and other famous social media influencers. According to Whittaker, he contacted several people on the list at random whose information was found in the database, and some of them indeed replied, confirming that some – or most – of the data contained in the database are actual data scraped from their Instagram accounts.
The database was then traced back to an India-based social media marketing company, Chtrbox, a firm that pays Instagram influencers to post sponsored content on their accounts. The report revealed that each record, aside from public and personal information of the account owner, also includes an estimated worth of each account, factored by the number of followers they have, the engagement level they receive, the width of their reach, likes, and shares they had. The calculation was used as a metric to determine how much to pay an influencer to post a sponsored content on their account as an ad.
Those who responded have said that they used the email and the phone number as default to sign up for Instagram and they also denied having been involved in a business with Chtrbox.
The researchers were able to contact Chtrbox and was successfully in having them take the database offline; however, Pranay Swurap, the founder of the social media marketing firm and it’s Chief Executive Officer, refused to comment and answer questions raised by the researchers.
Until now, it is unclear how the company was able to obtain the massive data they have.
One theory made by the researchers is that two years ago, a security bug in the developer API of Instagram has allowed hackers to obtain email addresses and phone numbers of six million Instagram accounts. The hacker later sold the data they were able to scrape by exploiting the bug was sold to highest bidders for bitcoin.
Hackers have launched a website with a searchable database of some Instagram users’ alleged personal info. The data, a sample of which the hackers provided t, appears to include email addresses and phone numbers for a selection of high profile Instagram users, including politicians, sports stars, and media companies. The data also seems to contain information on more ordinary accounts, too.
“Instagram clearly hasn’t yet understood the full impact of this bug,” said one of the people behind the site, dubbed ‘Doxagram.’
Some of the accounts in the list are seemingly high profile. One entry is allegedly for the official President of the United States’ Instagram account. Another alleged account appears to belong to Cristiano Ronaldo, the world-famous soccer player.
As for why the database contains high profile users, the hackers claimed they set up their scraper to initially target all users with over 1 million followers, and then recursively harvest other users. In all, the hackers claim to have over 6 million accounts in their database.
Meanwhile, in a statement made by Facebook following the disclosure of the database said that the company is investigating the matter.
“We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources,” said an updated statement. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available,” it added.