A security researcher has discovered a publicly accessible database with the details of millions of Instagram users, including their contact details.
As TechCrunch reports, Anurag Sen discovered the database of more than 49 million records – visible to anyone to access via the internet, no password required, on an unprotected Amazon Web Services bucket.
Each entry in the database contains information apparently scraped from Instagram profiles: user biography, profile picture, the number of people following them, whether the account has been verified, their city and country, as well as more sensitive information such as the email address of the account owner and telephone number.
However, it was the information in addition to this personal data that gave a clue as to where the data may have been leaked, such as TechCrunch explains:
We have traced the database back to Mumbai social media marketing agency Chtrbox, which pays influencers to place sponsored content on their accounts. Each record in the database contained a record that calculated the value of each account based on the number of followers, involvement, reach, likes and shared content. This was used as a metric to determine how much the company could pay a celebrity or influencer on Instagram to place an ad.
Chtrbox has posted a message on its website that it has protected its leaky server, but it disputes details of the TechCrunch report that it described as "inaccurate":
In the more than three years that we have been active, we have never had data from more than 350,000 influencers, so Chtrbox claims to be responsible for leaking millions of information and that it is downright impossible and false. This database contained information that was already available in the public domain, with a nominal amount that itself was reported by influencers. Other public data points, such as the number of followers and engagement statistics with which we can select relevant influencers for brand collaboration, are also included.
In short, Chtrbox says it only uses the data it has collected for internal purposes – specifically to help its team put brands in contact with influencers who can help them promote brands and services on Instagram.
That's all good, but how did the database end up on the public web, easy to find for anyone who knows Shodan?
Even if Chtrbox scraped the information it collected about Instagram users from public sources, something clearly went wrong when the data was displayed then.
Chtrbox acknowledges in its statement that a "certain database of limited influencers was accidentally left uncovered for 72 hours" due to a "database vulnerability", although TechCrunch reporter Zack Whittaker debates the database was actually accessible for longer than that.
Actually it was first discovered on Shodan on May 14, so this is not at all correct. https://t.co/O4bfivcR9y
– Zack Whittaker (@zackwhittaker) May 21, 2019
I wonder how Instagram, owned by Facebook, feels about this. There is a good chance that many will see the headlines about a database of millions of Instagram influencers being exposed online and assume that the company has again had a security fall, without reading it in-depth.
If a company removes information from your site about your users and then spills this data carelessly on the internet, users are likely to feel hurt.
Consumers and regulators alike expect and insist on social networks to take more care of their many millions of users and to be more proactive in controlling who – if anyone – is allowed to scoop up the valuable data.
More headlines like this, ultimately, do not do the likes of Instagram and Facebook at all good.
Publisher's note: The opinions expressed in this article about the guest authors are solely those of the author and do not necessarily reflect those of Tripwire, Inc.