A large database that includes info on the contact details of millions of accounts owned by celebrities, famous brands, and influential people was in the public domain. It was placed on the Amazon server and had no password protection, which made it possible for everyone to get unhindered access to the information that it contained. About 50 million entries hit the open Internet.
The database info displayed publicly available data that was collected from Instagram user accounts. Thus, the biography, profile photo, the number of followers and frequently visited geolocation became available in one place. Moreover, the database also contained personal contact information — the phone number and e-mail of the owners of the Instagram accounts.
Anurag Sen, a security researcher who found this database, told TechCrunch about its existence. Then the search for a source that was soon found began — it was the marketing firm Chtrbox, located in Mumbai. It was engaged in the purchase of content from influential individuals to post it on their accounts. The company collected information, thanks to which it could calculate the value of a specific account with which it plans to cooperate. Thus, Chtrbox had data on the number of followers, user activity and engagement, audience reach and the presence of shares owned by the influential persons. Thanks to these indicators, the company assessed its capabilities and calculated the benefits that it would receive for paid advertising to a certain influential user or celebrity.
In a careful study of the acclaimed database, TechCrunch discovered information about popular and reputable users — well-known bloggers, famous people, and other active social media personalities. With some users whose data was found in the database, contact was made, thanks to which they managed to find out that this information was true, as these people used their e-mail and phone number to set up Instagram accounts. Moreover, they reported that they had never cooperated and had not even contacted Chtrbox firm.
After publicizing information about the unprotected database, Chtrbox hastily disconnected it. The founder and CEO of the company, Pranay Swarup, did not respond to requests for how his company had personal contacts of influential Instagram users and did not provide any comments. However, a little later, on Twitter, Chtrbox claimed that the number of affected users did not exceed 350 000, and the database itself was openly available for no more than 72 hours, although a security researcher provided evidence that the search engine for open databases and devices, Shodan, first discovered it on May 14.
This event happened 2 years later after Instagram confirmed the information about the imperfection of its system and the error made in the developer API, due to which hackers managed to steal the contact details of 6 million users and sell them to third parties for bitcoin.
After a couple of months, when the number of Instagram users exceeded 1 billion, the company limited the number of requests from applications and developer actions performed on the platform by choking its API.
Regarding a recent event, Facebook, the owner of Instagram, announced that it would dispute the report and will conduct a personal investigation. The company said that all claims related to the misuse of data in which Instagram is featured are subject to special consideration.
During the study of all the information, the representative of Instagram said that the Chtrbox database did not contain a single actual personal e-mail or phone number. He also confirmed that it kept free-for-all information collected from various sources, including Instagram, and counted only 350 000 user data instead of the 50 million indicated in the report. Nevertheless, the company continues to find out from Chtrbox where exactly user data such as phone numbers and e-mails were taken, and why it was not protected.