Unsecure Chtrbox AWS database exposes data on 49 million Instagram influencers, accounts
An unsecured Chtrbox database hosted by Amazon Web Services
(AWS) and discovered by security researcher Anurag Sen has exposed the records
of more than 49 million Instagram influencers.
Data scraped from the accounts include bios, account details
like number of followers, location information, email addresses, phone numbers
and profile pictures as well as a calculated valuation of each account,
according to a TechCrunch report.
Chtrbox, based in Mumbai, pays influencers, including
celebrities, to post sponsored content.
“Influencers, celebrities and brands carry a lot of clout on social media with their ability to impact their followers’ sentiments and actions,” said Kevin Gosschalk, CEO and co-founder of Arkose. The exposure of Instagram influencers and celebrities “is a timely reminder of the deep responsibility a company has to protect the mass amount of data that it collects,” said Gosschalk.
Social media marketing firm Chtrbox has taken the database
offline and Instagram parent, Facebook, said in a statement that it is
investigating – querying Chtrbox as to the origins of the data and how it came
to be exposed. “We’re looking into the issue to
understand if the data described – including email and phone numbers – was from
Instagram or from other sources,” Facebook said.
“Facebook, which owns Instagram,
said it was looking into the matter. Alternatively, as the old gag goes – ‘Facebook
has been advised of yet another security hole. Mark Zuckerberg is looking into
it,’” said Lucy Security CEO Colin Bastahble. “Of course, it is no joke for the 49
million influencers, but anyone who entrusts their data to any part of the
Facebook business must expect it to have a resale value.”
The Instagram incident is the latest in a long string of unsecured
databases that expose massive quantities of data.
“Very often, we find that some database
accessible storing private, sensitive data in the application layer
is accessible over the internet,” said Ameya Talwalkar, Co-founder and CPO. “In most cases, there is no inherent
security built into these databases. That is because they are meant to be
accessed by other services and applications in the application tier – post
authentication.”
Noting the “notion of explicit trust between the services/applications using these databases,” Talwalker explained, “In cases where these databases have some security/authentication support, it is usually not turned ON, in order to serve queries as fast as possible, based on the explicit trust model. As these application tiers are changing very rapidly due to fast dev-ops cycles, there is frequent change happening in that application tier.”
Those changes sometimes “leave sensitive databases wide open for access from the public internet” and information vulnerable to hackers who scrape it and sell it, he said.
Calling the Instagram
exposure “yet another instance of a company failing to even use a password,
which is a shocking phenomenon because it is the most basic form of security,”
Gosschalk called for organizations to step up and protect databases and the
sensitive information they house. “Time is up – companies need to be
proactively protecting their attack surface, especially online databases
containing valuable customer records, to protect their digital ecosystems
against damaging cyberattacks,” he said.
Gloss