Startup secretly collected millions of Instagram users’ location data, stories

A San Francisco startup secretly collected millions of Instagram users’ stories and location data in violation of the platform’s rules, Business Insider reports.

Marketing firm Hyp3r, which was designated by Instagram as a preferred advertising partner, was able to create “detailed records” on users by scraping their bios, content from their stories, and their physical locations.

While it remains unclear just how many users were affected, Business Insider says former Hyp3r employees alleged that more than 1 million Instagram posts are collected by the company every month. Hyp3r has also publicly stated that it has “a unique dataset of hundreds of millions of the highest value consumers in the world.”

One of the former Hyp3r employees questioned Instagram’s security practices, arguing that the tech company could have easily protected users’ location data.

“For [Instagram] to leave these endpoints open and let people get to this in a backchannel sort of way, I thought was kind of hypocritical,” the former employee said.

Although Hyp3r only collected data from public accounts, Instagram sent the company on Wednesday a cease-and-desist letter after learning of the firm’s actions.

An Instagram spokesperson said in a statement that Hyp3r clearly violated the platform’s policies.

“HYP3R’s actions were not sanctioned and violate our policies. As a result, we’ve removed them from our platform,” the spokesperson said. “We’ve also made a product change that should help prevent other companies from scraping public location pages in this way.”

Hyp3r CEO Carlos Garcia argued in an emailed statement to Business Insider, however, that its actions were not in violation of Instagram’s rules.

“HYP3R is, and has always been, a company that enables authentic, delightful marketing that is compliant with consumer privacy regulations and social network Terms of Services,” Garcia wrote. “We do not view any content or information that cannot be accessed publicly by everyone online.”

Although Instagram previously allowed the sort of location data collection done by Hyp3r, the social media company’s policies changed following the Cambridge Analytica scandal.

Former Hyp3r employees say the firm found workarounds that allowed them to still collect location data even after Instagram’s policies were changed.

The story comes as Facebook, which owns Instagram, works to further integrate its family of apps into the main brand. Critics have argued that doing so will only tarnish the image of apps like Instagram which have been somewhat insulated from Facebook’s repeated privacy scandals.

READ MORE:

H/T Business Insider

Mikael Thalen

Mikael Thalen

Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.