Millions of Instagram users — including celebrities and brands — have had their accounts exposed online.
The database, hosted by Amazon Web Services, was left exposed and without a password, compromising 49 million records, with that number growing by the hour.
Reports reviewed the data sent by a security researcher, finding that it contained information from the Instagram accounts of several high-profile influencers, including their bios, profile pictures, the number of followers they have, if they’re verified and their locations by city and country. In addition, there was also private contact information, including the account owner’s email address and phone number, as well as a record that calculated the worth of each account according to the number of followers, engagement, reach, likes and shares they had.
The database was ultimately traced back to Mumbai-based social media marketing firm Chtrbox, which promptly pulled the database offline once contacted by reporters. Pranay Swarup, the company’s founder and chief executive, did not respond to a request for comment.
Facebook, which owns Instagram, said it was investigating the breach.
“We’re looking into the issue to understand if the data described — including email and phone numbers — was from Instagram or from other sources,” said an updated statement. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available.”
Back in 2017, Instagram was the victim of a cyberattack that saw hackers using a bug in the social media site’s software to steal email addresses and phone numbers of celebrity accounts as well as regular users. The data was then being sold online, some for $10 via Doxagram, an Internet database. Doxagram said at the time that it has the contact information of famous people, such as Mark Zuckerberg, the chief executive of Facebook, and Rihanna, the pop artist. No passwords were stolen during the attack.