Tens of millions of Instagram influencers have reportedly had their private data exposed in an online database. The records were hosted by Amazon Web Services and apparently had no password protection.
The database contained information such as phone numbers and email addresses for around 49 million Instagram influencers, celebrities, and brand accounts, according to a TechCrunch report on Monday. It also listed public data such as profile pictures and user locations.
After receiving an alert from cybersecurity researcher Anurag Sen, TechCrunch examined the records and traced the database to Chtrbox, a social media marketing company based in Mumbai, India. Chtrbox pays influencers to place sponsored content on their Instagram accounts. In addition, each Instagram account in the database reportedly showed an estimated worth, calculated by analyzing information such as the number of followers, as well as the number of likes and shares associated with different posts. This helped Chtrbox to arrive at a figure for paying an influencer.
Once it had been made aware of the security breach, Chtrbox took the database offline.
In a statement, Instagram said it’s investigating the issue “to understand if the data described — including email and phone numbers — was from Instagram or from other sources.” It added that it’s also in contact with Chtrbox “to understand where this data came from and how it became publicly available.”
In its terms of service, Instagram bans the practice of gathering data from users en masse, saying: “You must not crawl, scrape, or otherwise cache any content from Instagram including but not limited to user profiles and photos.”
Large databases like this offer rich pickings for hackers working to build up profiles of potential targets, and in this case provided a quick and easy way to find out the worth of particular influencers.
While there’s no suggestion that Instagram is at fault in this latest security hiccup, the Facebook-owned company has in the past caused consternation among its influencer community regarding such matters. In 2017, for example, a software bug gave hackers access to personal data for a number of high-profile Instagram users. And last year, Instagram’s Download Your Data tool was discovered to have had a security flaw that leaked passwords in plain text, an issue that potentially affected not just influencers but Instagram’s entire community of more than one billion people. However, the company said that ultimately only a relatively small number of people used the tool before the bug was squashed, adding that it contacted all those affected.