The private information of millions of prominent Instagram users was left exposed online in an unsecured database, TechCrunch reports.
Discovered by security researcher Anurag Sen, the Amazon-hosted database was not protected by a password and contained more than 49 million records.
Those records, which pertain to Instagram influencers and celebrities, included everything from “their bio, profile picture, the number of followers they have, if they’re verified and their location by city and country” to “the Instagram account owner’s email address and phone number.”
The database reportedly belongs to Chtrbox, a social media marketing firm based in Mumbai, India, that pays certain Instagram users to post sponsored content.
Chtrbox pulled the database offline after being alerted to the issue but did not explain how it came to possess Instagram users’ email addresses and phone numbers.
In a statement to TechCrunch, Facebook, which purchased Instagram in 2012, said it was investigating how the issue unfolded.
“We’re looking into the issue to understand if the data described—including email and phone numbers—was from Instagram or from other sources,” the company said. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available.”
The incident is not the first time that high-profile Instagram users have had their data compromised.
Hackers in 2017 were able to obtain the phone numbers and email addresses of some of Instagram’s biggest users, including President Donald Trump and the rapper Drake, and sold them for bitcoin on the dark web.
The Daily Dot has reached out to Instagram for comment.