Data breach an Instagram; 50 million registers exposed online

Web application security testing specialists reported the finding of a massive database exposed online containing contact data of millions of Instagram influencers, celebrities, and business accounts.

Experts mention that the database was hosted on Amazon Web Services (AWS) and was exposed without any authentication measures, so any user could access the leaked information. When detected, the database had almost 50 million of records, although experts report that the volume of the file was constantly growing.

After a preliminary review, it was reported that the database contained information about the influencers of this social network, such as:

  • Profile bio
  • Profile photo
  • Account data (verification, number of followers)
  • Email addresses
  • Phone numbers

Web application security testing experts tried to find the owners of the database to be secured. The search came to the Chtrbox social media marketing company, headquartered in Mumbai. The firm calculates the value of an account according to some variables (number of followers, scope, ‘likes’, total interactions, etc.) to determine how much to pay each account for posting sponsored content.

Web application security testing specialists took some random data to contact the affected people; the owners of these Instagram accounts confirmed the veracity of the data exposed although they refused to have any business relation with the firm Chtrbox.

After the incident was reported the company took the database offline from AWS, although no member of the company had made a single statement about it. A few days later, through its Twitter account, the marketing firm mentioned that the number of accounts exposed was less than 350k and that the database remained unsecured for only three days; however, the experts were able to confirm that the database was detected in Shodan since May 14.

Specialists from the International Institute of Cyber Security (IICS) mention that Facebook, Instagram proprietary company, will investigate the incident to see if Chtrbox obtained the data directly from the social media platform or if it resorted to other sources.