Database May Have Exposed Instagram Data for 49 Million
Data Loss
,
Governance
,
Privacy
Email Addresses, Phone Numbers Potentially Exposed
There's been a potential leak of personally identifiable information from Instagram, but it's not clear yet whether the data came directly came from the social media company.
See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys
Security researcher Anurag Sen found a database online that appeared to contain profile data for 49 million Instagram users, including their email addresses and phone numbers - data that is supposed to be private. Instagram has at least 1 billion active monthly users.
Sen brought the database to the attention of TechCrunch, which traced the owner to Mumbai-based Chtrbox, a social media company. The database, which was hosted on Amazon Web Services, was left open without password protection on the internet. Chrtbox has since pulled it offline.
Celebrity Accounts
Chtrbox connects Instagram users and companies for paid promotional posts. LinkedIn lists Chtrbox as having between 11 and 50 employees. Efforts to reach Chtrbox CEO Pranay Swarup through several channels were not immediately successful.
Email addresses and phone numbers are considered to be personally identifiable information in many jurisdictions, including in the European Union under the General Data Protection Regulation. The exposure of that kind of information could trigger reporting requirements depending on the nationality of those affected.
"The possibility of third parties mishandling user data is something we take seriously, which is why we're quickly working to understand what happened."
TechCrunch reports it found contact information for celebrities, food bloggers and other social influencers, among others. The database contained a figure estimating how much each account was worth based on metrics such as the number of followers, likes, shares and engagement, it reports.
Instagram, which is owned by Facebook, is investigating whether a third party may have improperly stored the data. A spokesman tells ISMG it's not clear yet whether the phone numbers and email addresses necessarily came from Instagram.
"Regardless, the possibility of third parties mishandling user data is something we take seriously, which is why we're quickly working to understand what happened," he says.
Source of Data: Unknown
Facebook's data-collection and handling practices have come under the scrutiny of regulators, which was largely kicked off by the Cambridge Analytica scandal. The scandal highlighted how Facebook failed to stop personal data from slipping into the hands of unvetted third parties despite polices that forbid that from happening (see: Facebook: 87M Accounts May Have Been Sent To Cambridge Analytica).
Facebook is anticipating a $3 billion to $5 billion fine from the Federal Trade Commission for violating a 2012 consent agreement that aimed to reform its data-sharing practices. The agency accused Facebook of sharing data without consent and deceptive conduct around its private controls (see: Facebook Takes $3 Billion Hit, Anticipating FTC Fine).
It's difficult to speculate how Chtrbox may have been able obtain data that is supposed to be private. TechCrunch reports that it contacted several random people whose information was in the database and confirmed their phone numbers and email addresses, and those individuals also confirmed those were the details linked to their Instagram accounts.
But the trade in personal data is a murky rabbit hole. It's possible that Chtrbox has mapped to Instagram accounts email addresses and phone numbers obtained from other sources.
Instagram has had its own security problems in regards to personal data. Two years ago, it said hackers exploited a bug in its API. The result was a compromise of personal details in some accounts and some full account compromises.
At first, it appeared only the accounts of high-profile users had been probed, but later the trove was claimed to be 6 million accounts. The data was offered for sale online on a site called Doxagram, and later an advertisement appeared for a so-called Instagram "Lookup Service" appeared on the Bitcointalk.org forum.
The attackers offered contact information for celebrities such as Selena Gomez and Justin Bieber for $10 and then later discounted to $5 (see: Instagram Warns Hack More Widespread Than Expected).
Gloss