Data from 'six million' Instagram accounts leak online

Instagram warns users to be vigilant to scam calls and emails

The personal details of up to six million Instagram users have reportedly been leaked online after a bug in the platform made profiles' account information publicly accessible.

The flaw, which exposed the email addresses and phone numbers of both private and public accounts, was subsequently exploited by hackers, who were able to harvest the data into a dark web database, where contact details were being sold for $10 each.

While the vulnerability was initially thought to have only affected a small number of A-list celebrity accounts, including singers Selena Gomez, Taylor Swift and Harry Styles, The Daily Beast reported that hackers claimed to have the contact details of as many as six million users.

Responding to the leak, Facebook-owned Instagram said it was working with law enforcement, adding that the bug was now fixed and that no passwords were stolen.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"We encourage you to be vigilant about the security of your account, and exercise caution if you observe any suspicious activity such as unrecognised incoming calls, texts, or emails," Instagram's co-founder and CTO, Mike Krieger, said in a statement.

"Protecting the community has been important at Instagram from day one, and we're constantly working to make Instagram a safer place. We are very sorry this has happened."

A dedicated portal (with URLs redacted) advertises details for the "price of 2 cups of coffee"

The hackers, who remain unidentified, hosted the database on a dedicated site called Doxagram, allowing users to search for contact information for a $10 fee. A sample of 1,000 accounts was supplied to The Daily Beast, each containing an email address, phone number, or both.

Although Facebook is working to take down the domains used by the hackers, the database is still up and running at the time of writing, and is even operating a dedicated Twitter account.

Researchers at Kaspersky, who apparently discovered the flaw and reported it to Facebook, told Hacker News that the problem lay with Instagram's mobile API, and its password reset function. It was discovered that a user could request a new password on an account and intercept the details sent in response.

Advertisement - Article continues below

As well as changing passwords, the company has urged users to turn on two-factor authentication, which is available through their Instagram accounts.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020