Database May Have Exposed Instagram Data for 49 MillionEmail Addresses, Phone Numbers Potentially Exposed
(See latest update on this story.)
See Also: The Evolution of Email Security
There's been a potential leak of personally identifiable information from Instagram, but it's not clear yet whether the data came directly came from the social media company.
Security researcher Anurag Sen found a database online that appeared to contain profile data for 49 million Instagram users, including their email addresses and phone numbers - data that is supposed to be private. Instagram has at least 1 billion active monthly users.
Sen brought the database to the attention of TechCrunch, which traced the owner to Mumbai-based Chtrbox, a social media company. The database, which was hosted on Amazon Web Services, was left open without password protection on the internet. Chrtbox has since pulled it offline.
Chtrbox connects Instagram users and companies for paid promotional posts. LinkedIn lists Chtrbox as having between 11 and 50 employees. In a response to a query, Chtrbox tells ISMG that "the reports on a leak of private data are inaccurate."
"A particular database for limited influencers was inadvertently exposed for approximately 72 hours," Chtrbox claims. "This database did not include any sensitive personal data and only contained information available from the public domain, or self reported by influencers."
Chtrbox also says it does not source personal data "through unethical means" and that it only operates in India.
"Our database is for internal research use only, we have never sold individual data or our database, and we have never purchased hacked data resulting from social media platform breaches," it says.
Chtrbox didn't respond to further questions about where the email addresses and phone numbers came from. But its account doesn't quite square with what Sen found.
Sen tells ISMG that the server the data was on was indexed by the Shodan search engine on May 14, which suggests that the 72-hour exposure period is inaccurate. Also, Sen says it's unclear why the company would have had details for people outside of India if the company only operates there.
Actually, it was first detected on Shodan on May 14, so this isn't accurate at all. https://t.co/O4bfivcR9y— Zack Whittaker (@zackwhittaker) May 21, 2019
Email addresses and phone numbers are considered to be personally identifiable information in many jurisdictions, including in the European Union under the General Data Protection Regulation. The exposure of that kind of information could trigger reporting requirements depending on the nationality of those affected.
"The possibility of third parties mishandling user data is something we take seriously, which is why we're quickly working to understand what happened."
TechCrunch reports it found contact information for celebrities, food bloggers and other social influencers, among others. The database contained a figure estimating how much each account was worth based on metrics such as the number of followers, likes, shares and engagement, it reports.
Instagram, which is owned by Facebook, is investigating whether a third party may have improperly stored the data. A spokesman tells ISMG it's not clear yet whether the phone numbers and email addresses necessarily came from Instagram.
"Regardless, the possibility of third parties mishandling user data is something we take seriously, which is why we're quickly working to understand what happened," he says.
Source of Data: Unknown
Facebook's data-collection and handling practices have come under the scrutiny of regulators, which was largely kicked off by the Cambridge Analytica scandal. The scandal highlighted how Facebook failed to stop personal data from slipping into the hands of unvetted third parties despite polices that forbid that from happening (see: Facebook: 87M Accounts May Have Been Sent To Cambridge Analytica).
Facebook is anticipating a $3 billion to $5 billion fine from the Federal Trade Commission for violating a 2012 consent agreement that aimed to reform its data-sharing practices. The agency accused Facebook of sharing data without consent and deceptive conduct around its private controls (see: Facebook Takes $3 Billion Hit, Anticipating FTC Fine).
It's difficult to speculate how Chtrbox may have been able obtain data that is supposed to be private. TechCrunch reports that it contacted several random people whose information was in the database and confirmed their phone numbers and email addresses, and those individuals also confirmed those were the details linked to their Instagram accounts.
But the trade in personal data is a murky rabbit hole. It's possible that Chtrbox has mapped to Instagram accounts email addresses and phone numbers obtained from other sources.
Instagram has had its own security problems in regards to personal data. Two years ago, it said hackers exploited a bug in its API. The result was a compromise of personal details in some accounts and some full account compromises.
At first, it appeared only the accounts of high-profile users had been probed, but later the trove was claimed to be 6 million accounts. The data was offered for sale online on a site called Doxagram, and later an advertisement appeared for a so-called Instagram "Lookup Service" appeared on the Bitcointalk.org forum.
The attackers offered contact information for celebrities such as Selena Gomez and Justin Bieber for $10 and then later discounted to $5 (see: Instagram Warns Hack More Widespread Than Expected).