Up to six million Instagram users may have had their email addresses and phone numbers made public following a data breach.
What initially appeared to be a hack only affecting celebrities and verified accounts has been shown to have also affected many ordinary users.
The breach initially came to prominence when Instagram’s most followed user, Selena Gomez, had her account hacked, and a nude photo of her ex-boyfriend Justin Bieber was posted to the account.
Instagram officials stated that the flaw that had allowed this to happen had been fixed but it then became apparent that the breach was more significant than that.
A bug left some users’ phone numbers and email addresses exposed even if they hadn’t been made public. In a blog post, Instagram CTO Mike Krieger confirmed the existence of the bug, stating: ‘we want to let you know that we recently discovered a bug on Instagram.
‘We quickly fixed the bug, and have been working with law enforcement on the matter. Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.’
However, it appears that the exposed data was stolen by hackers before the bug had been fixed. The hackers, in turn, created a searchable database called ‘Doxagram’, where they sold searches for $10 a go. The Daily Beast tested and confirmed the authenticity of the database.
The database was concentrated on high profile accounts, with names such as Emma Watson, Leonardo DiCaprio, and Harry Styles reportedly affected, as found by cybersecurity firm RepKnight. According to one report, the email address connected to the official U.S. President’s page had been made public.
The hackers say that they in fact have access to six million users’ details, which would match Instagram’s statement on a ‘low percentage’ of users being affected.
Though Doxagram is now offline, the hackers will still have the information available, and it is likely to be available on the dark web. For those celebrities affected, this means they may have to change their phone numbers and email addresses.