Instagram initially confirmed a bug on Wednesday that left users’ personal data vulnerable, but it wasn’t clear how many people were affected. According to the Verge, the social giant has now confirmed the bug allowed hackers to compile email addresses and phone numbers from “millions of accounts.”
Ars Technica says someone reached out to the site claiming to have collected data from 6 million Insta users. The anonymous group even provided the publication with a sample of 10,000 stolen records.
Ars confirmed the records with Troy Hunt, security researcher and owner of breach notification service Have I been Pwnd. “My conclusion: There’s nothing in here to disprove the data,” Hunt said. “It’s ‘possible’ it has been scraped together from other sources, but every indication is that it’s legitimate and the vector you wrote about earlier is absolutely feasible and certainly not unprecedented.”
The hackers also provided the Daily Beast with a sample of 1,000 records that includes a phone number, email, or both. The hackers said they set up their scraper to first gather contact information from accounts with more than 1 million followers. One of the accounts allegedly belongs to the official Instagram page for POTUS. Others allegedly belong to Cristiano Ronaldo, Jennifer Lopez, Drake, and several other celebrities. To make matters worse, unverified users also appear to have been hacked.
The people behind the site, called “Doxagram,” are reportedly selling the information for $10 in Bitcoin per search, “So far we’ve had 12 deposits totaling around $500,” the site operator told Ars six hours after going live. “Not a horrible start.”
Instagram patched its bug shortly after it was first discovered, but the damage was done.
Instagram co-founder and chief technical officer Mike Krieger said in a blog post he believes a “low percentage” of Instagram users were affected. That doesn’t say much considering there are more than 700 million members. Krieger also said the company is working with law enforcement, and he encouraged users to be careful receiving texts and phone calls from unknown numbers.
The social giant gave the Daily Beast the same comment it put out Thursday:
“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information—specifically email address and phone number—by exploiting a bug in an Instagram API. No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.
Our main concern is for the safety and security of our community. At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue. As always, we encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails.”
The Daily Dot has reached out to Instagram for comment.
H/T the Verge