Instagram, Facebook’s hotter, snootier subsidiary, may have a massive data breach on its hands.
This week, a security flaw within Instagram allowed hackers to assemble a database of what appeared to be verified users’ contact information—some of those affected purportedly being celebrities and politicians. According to the Verge, Instagram now says the known scope of the breach has expanded to include at least some unverified Instagrammers.
“... We recently discovered a bug on Instagram that could be used to access some people’s email address and phone number even if they were not public,” Instagram CTO Mike Krieger wrote in a blog post. “No passwords or other Instagram activity was revealed. We quickly fixed the bug, and have been working with law enforcement on the matter. Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.”
“We are very sorry this happened,” Krieger added.
As the Daily Beast reported last week, the unknown hackers behind the breach claim to have compromised six million accounts and set up a website called “Doxagram,” which allegedly offered access to phone numbers, email addresses or both for 1,000 Instagram accounts at $10 a search.
While a few of the addresses were public information, “many did not return any relevant Google results, implying they were obtained from some private source.” The Beast was able to confirm some of the leaked accounts had valid contact information; the site was later taken offline.
Per the Verge, cybersecurity firm RepKnight said supposed contact information for a number of celebrities featured on Doxagram was circulating on the dark web, ranging from Hollywood celebs like Emma Watson and Leonardo DiCaprio to musician Harry Styles and boxer Floyd Mayweather. The Beast claimed the site even purported to have contact info behind President Donald Trump’s official Instagram profile, which was managed by White House social media director Dan Scavino.
In addition to potentially exposing users to harassment, the breach could allow hackers to target them for social engineering attacks which could compromise their accounts. Instagram’s security hole may be linked to an incident on August 28th, when someone accessed the account of Selena Gomez—the most-followed user on the site—and posted nude photographs of Justin Bieber.
Data breaches are not the only major problem reported at the social-media giant in recent days. On Friday, Mashable reported the site’s staff is rife with individuals willing to verify Instagram accounts for prices “anywhere from a bottle of wine to $15,000, according to a dozen sources who have sold verification, bought verification for someone else, or directly know someone who has done one or the other.”