Chtrbox, the Indian marketing and promotions company accused of sourcing millions of celebrities and Instagram influencers illegally and exposing the database online, denied the allegations that they unethically sourced the data in the discovered leaked data pool.
In late May, a tech researcher found an exposed database containing the personal and private information of millions of celebrities, social media influencers, and brand accounts from Instagram. Following an investigation conducted by the researcher, it was determined to be owned by an Indian marketing company named Chtrbox, which is selling services such as marketing promotions with influencers as well as sponsored ads.
Recently, the company in question responded the allegations made by tech researcher Anurag Sen from Twitter and said that they did not purposely or recklessly leaked the said data, but instead, a third party inadvertently exposed the data.
“The reports on a leak of private data are inaccurate. A particular database for limited influencers was inadvertently exposed for approximately 72 hours,” said the company’s official statement regarding the incident.
But this claim has been debunked by the original reporter of the data breach. Zack Whittaker, a journalist from TechCrunch, through his Twitter account, said that the breach had been discovered since May 14 and the claim that the breach lasted for only 72 hours is “inaccurate.”
Each record in the database contained publicly listed data scraped from influencer, celebrity, and brand Instagram accounts including their bio, profile picture, their follower count, verification status, and their location by city and country. However, the database also contained private contact information, including email address and phone number.
Several high profile influencers and celebrities were found in the database, including some prominent beauty and fashion bloggers, food bloggers, celebrities, and other famous social media influencers. According to Whittaker, he contacted several people on the list at random whose information was found in the database, and some of them indeed replied, confirming that some – or most – of the data contained in the database are actual data scraped from their Instagram accounts.
The report revealed that each record, aside from public and personal information of the account owner, also includes an estimated worth of each account, factored by the number of followers they have, the engagement level they receive, the width of their reach, likes, and shares they had. The calculation was used as a metric to determine how much to pay an influencer to post a sponsored content on their account as an ad.
However, the company also denies this claim saying that private information was not taken unethically.
“The database did not include any sensitive personal data and only contained information available from the public domain, or self-reported by influencers. We would also like to affirm that no personal data has been sourced through unethical means by Chtrbox. Our database is for internal research use only, we have never sold individual data or our database, and we have never purchased hacked data resulting from social media platform breaches. Our use of our database is limited to help our team connect with the right influencers to support influencers to monetize their online presence, and help brands create great content,” the company added.
Another tech researcher chimed in the discussion on Twitter saying that it is possible that the database entries were taken from a February 2019 Instagram breach that he previously reported. He said that not only did the exposure started from May 14th, but even since December 2018.
David Stier, a cybersecurity researcher, said that even after Instagram fixed the exposure following his report, phone numbers and email addresses of IG accounts were still visible on many accounts in the Instagram app.
Another tech researcher chimed in the discussion on Twitter saying that it is possible that the database entries were taken from a February 2019 Instagram breach that he previously reported. He said that not only did the exposure started from May 14th, but even since December 2018. David Stier, a cybersecurity researcher, said that even after Instagram fixed the exposure following his report, phone numbers and email addresses of IG accounts were still visible on many accounts in the Instagram app.
Until now, it is still unclear how Chtrbox gathered the data. The original theory was regarding the IG breach, something that the company has also denied in its statements.
Meanwhile, in a statement made by Facebook following the disclosure of the database said that the company is investigating the matter.
“We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or other sources,” said an updated statement. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available,” the social media giant said in a statement.