- West Virginia corrections employees suspended after Nazi salute photo surfaces Thursday 8:02 PM
- Here are the 15 best Eddie Murphy movies available to stream Thursday 7:56 PM
- Ex-InfoWars video editor admits to making up Islamophobic stories Thursday 6:55 PM
- WhatsApp accounts deleted amid Kashmir internet blackout Thursday 6:21 PM
- Guy gets mocked for tattoo of Baby Yoda drinking White Claw Thursday 6:18 PM
- Spotify Wrapped has people asking just how much it knows about us Thursday 5:50 PM
- Instagram account allegedly asked for inappropriate photos of children Thursday 5:16 PM
- How to stream ‘Boys vs. Bears on Thursday Night Football Thursday 4:33 PM
- Woman caught her boyfriend cheating through his Fitbit Thursday 4:29 PM
- The Pete Buttigieg ‘High Hopes’ dance was designed by an intern Thursday 4:17 PM
- TikTok admits to hiding content made by fat, LGBTQ, and disabled users Thursday 3:58 PM
- ‘Merry Happy Whatever’ is an unoriginal sitcom with plenty of holiday cheer Thursday 3:55 PM
- The ‘Pod Save America’ Bros are losing it over Joe Biden’s newest ad Thursday 3:28 PM
- Van Halen had a wholesome response in defense of Billie Eilish Thursday 3:15 PM
- Influencer faces wrath of K-pop fans after her son played with penis-shaped soap Thursday 1:27 PM
Instagram initially confirmed a bug on Wednesday that left users’ personal data vulnerable, but it wasn’t clear how many people were affected. According to the Verge, the social giant has now confirmed the bug allowed hackers to compile email addresses and phone numbers from “millions of accounts.”
Ars Technica says someone reached out to the site claiming to have collected data from 6 million Insta users. The anonymous group even provided the publication with a sample of 10,000 stolen records.
Ars confirmed the records with Troy Hunt, security researcher and owner of breach notification service Have I been Pwnd. “My conclusion: There’s nothing in here to disprove the data,” Hunt said. “It’s ‘possible’ it has been scraped together from other sources, but every indication is that it’s legitimate and the vector you wrote about earlier is absolutely feasible and certainly not unprecedented.”
The hackers also provided the Daily Beast with a sample of 1,000 records that includes a phone number, email, or both. The hackers said they set up their scraper to first gather contact information from accounts with more than 1 million followers. One of the accounts allegedly belongs to the official Instagram page for POTUS. Others allegedly belong to Cristiano Ronaldo, Jennifer Lopez, Drake, and several other celebrities. To make matters worse, unverified users also appear to have been hacked.
The people behind the site, called “Doxagram,” are reportedly selling the information for $10 in Bitcoin per search, “So far we’ve had 12 deposits totaling around $500,” the site operator told Ars six hours after going live. “Not a horrible start.”
Instagram patched its bug shortly after it was first discovered, but the damage was done.
Instagram co-founder and chief technical officer Mike Krieger said in a blog post he believes a “low percentage” of Instagram users were affected. That doesn’t say much considering there are more than 700 million members. Krieger also said the company is working with law enforcement, and he encouraged users to be careful receiving texts and phone calls from unknown numbers.
The social giant gave the Daily Beast the same comment it put out Thursday:
“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information—specifically email address and phone number—by exploiting a bug in an Instagram API. No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.
Our main concern is for the safety and security of our community. At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue. As always, we encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails.”
The Daily Dot has reached out to Instagram for comment.
H/T the Verge
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.