The personal data of millions of Instagram users has reportedly been published in an online database, including prominent celebrities and influencer accounts.
Instagram is home to huge celebrity followings, clever brand accounts and the emerging field of "influencers." All of these popular accounts were targeted in a recent security breach, according to a report by Tech Crunch, and their data was made available on a separate public database.
The database is reportedly hosted by Amazon Web Services, and is wide open the Internet. No password or other verification is required, and once inside users can see the email address, phone number and other personal data of millions of Instagram users.
More than 49 users' data has been published in the database, and more was going up each hour. Cyber security experts reportedly rushed to find the owner of the database, hoping to get it shut down before more people were put at risk.
The database reportedly included the account name, profile picture and follower count of each Instagram user in it. It also culled information from their verified locations and self-description in their bio. In addition to phone numbers and email addresses, it revealed the estimated worth of each account, noting how much they might get paid for an ad or a sponsored post.
Reporters traced the database to a social media marketing frim in Mumbai called Chtrbox, which often employs influencers to make sponsored posts. However, when they contacted users exposed in the database, they said that they have never worked with Chtrbox before.
Chtrbox pulled the database from the Internet after it was contacted by reporters and security experts. The company's founder and chief executive, Pranay Swarup, did not respond to a request for comment from journalists.
It is still not clear how Chtrbox obtained the private email addresses and phone numbers of so many users, or why they were kept on a public database. According to Tech Crunch they were "scraped" from within Instagram, an issue that the site has had before.0comments
In 2017, hackers exploited a bug to scrape the data of six million users, and were then paid in bitcoin for the information. Compared to this, that was a small breach. Instagram's parent company, Facebook, promised to look into the issue.
“We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources,” said a company statement. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available."