Social media giant Instagram has been the subject of two significant data breaches in the one week, with the private details of users found to be easily accessible online.
Last week TechCrunch reported that the private details of up to 49 million users of the Facebook-owned platform, including their phone numbers and email addresses, had been publicly accessible on a database hosted by Amazon Web Services that didn’t require a password.
Security researcher Anurag Sen had alerted the website to the database’s existence, which belonged to Indian social media marketing firm Chtrbox. The company pays social media influencers to post sponsored content on their Instagram accounts, and the database listed users to determine how much they should be paid, based on followers, engagement, likes and shares.
This was mostly based on publicly-accessible information, but the database also included the contact details of influencers who have said they have no connection with Chtrbox.
In a tweeted statement, Chtrbox said TechCrunch’s reporting on the database was “inaccurate”, with the company claiming it contained information on 350,000 influencers at most, and had only been online for 72 hours.
“This database contained information already available from the public domain, with a nominal amount which was self-reported by influencers,” the company said.
“We would also like to affirm that no personal data has been sourced through unethical means by Chtrbox. Our database is for internal research use only, we have never sold individual data or our database, and we have never purchased hacked-data resulting from social media platform breaches.”
Insta investigates
In a statement, Instagram said the personal contact details listed on the database did not come from the social media platform.
“We take any allegation of data misuse seriously. Following an initial investigation into the claims made in this story, we found that no private emails or phone numbers of Instagram users were accessed,” an Instagram spokesperson said.
“Chtrbox’s database had publicly available information from many sources, one of which was Instagram. Chtrbox also clarified that the database contained information for 350,000 people, not 49 million as has been reported.
“We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources. We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available.”
If the contact details did come from Instagram, the vulnerability that could have allowed this to happen was also revealed this week.
Security researcher David Stier found a flaw in the Instagram website that meant the private contact details of thousands of users were easily accessible in the website source code.
Stier informed Instagram of the vulnerability in February, and in March the company rolled out a patch for the issue.
But the vulnerability is believed to have been there since October last year, and would have allowed nefarious actors to scrape the data from the website and use it to create a database of contact information for the users, similar to the Chtrbox list exposed this week.
Instagram faced a similar issue two years ago when a bug in its developer API let hackers obtain the email addresses and phone numbers of about six million users, with the data later sold for bitcoin.
It’s another high-profile privacy issue for Facebook, with its founder and CEO Mark Zuckerberg only just declaring that the company has a newfound focus on privacy.
The company has faced a series of data breaches and privacy controversies, most prominently the Cambridge Analytica scandal, where the data of more than 80 million Facebook users was obtained and used without their consent by the political consulting firm.
There was also a security breach last year hitting 30 million users after a “network incident” allowed hackers to exploit three intersecting bugs in Facebook’s system, with 100,000 Australians impacted
The details of 540 million users were also found to be on publicly-accessible Amazon cloud servers hosted by third-party Facebook applications earlier this year, while hundreds of millions of Facebook user passwords were inadvertently stored in plain text on the company’s internal systems.
Facebook’s encrypted communications platform WhatsApp was also found to have a significant breach earlier this year, with a flaw allowing spyware to be installed on a phone with just an unanswered phone call.