It seems that the long queue of scandals regarding private information of social media users has no end. After a series of personal information leaks from Facebook and Twitter, the question of safety of private information became even more important than before. The latest mess that Instagram users found themselves in is proof that we should take this conversation as seriously as possible.
Over 49 million entries containing personal and even private information of Instagram influencers are publicly available in the Amazon database. Anurag Sen, a security technology specialist, reported the issue to TechCrunch and notified Instagram about the issue.
The database contained Instagram links, profile pictures, the number of followers, e-mail addresses used to set up accounts, and even phone numbers. In the database, each account was also accompanied by a special rating that determined the commercial value of ads that could be posted from these accounts. As it turned out, people who scraped and categorized all these data are from a marketing company from India.
Chtrbox is a company that pays Instagram influencers for advertisements and works to connect people who want their goods to be promoted online and people who are willing to promote said goods. This particular commercial scheme does not seem malevolent. On the contrary, it helps people who are able to build massive numbers of followers to monetize their influence.
The concerning part is that the information about these users is obtained by employing unethical and possibly illegal practices. Note that affected Instagram users were not associated with Chtrbox and some had no prior knowledge of the existence of the Indian marketing company.
Chtrbox refused to give any comments on their problem and did not provide any commentary on how they obtained the data. At the same time, another worrying thing is that the data is available publicly meaning that, even if Chtrbox has strictly business-related intentions in regards to the scraped personal information, other people with malevolent intentions may also obtain and use it. In fact, TechCrunch journalists tried using phone numbers from the database to reach out to affected Instagram users and discovered that the data is valid.
The trend continues
Instagram revealed several issues with their API that was vulnerable to scraping attempts. They tried to close the gaping weakness in their security, but it seems that their efforts were futile. Two years ago, a problem with the API allowed hackers to obtain private information of six million users of Instagram. However, the number of monthly active users grew over the course of the last two years. Today, the platform has over a billion monthly active users.
Instagram tried to limit potential threats by reducing the number of requests that a single application can make when interacting with the API. However, Chtrxbox or their affiliates found a way to obtain private data despite Instagram’s efforts to protect it.
Facebook representatives told journalists from TechCrunch that they are determined to identify and get rid of the issue as soon as possible. Facebook, the owner of Instagram, investigated the issue and started questioning Chtrbox management about how they were able to scrape so much data.
About seven months ago, in December 2018, Instagram failed to protect passwords of their users and made thousands of passwords available to hackers. During that incident, the information was not leaked to third parties and was identified internally.
In February of 2019, Instagram and a couple of other tech companies including OKCupid were subjected to scrutiny as a publicly available database with over 14 million entries, some including addresses and phone numbers was discovered by journalists of TechCrunch. The people who created the database stayed in the shadows and did not identify themselves. However, their methods proved to be quite effective as they collected an impressive amount of data on several million Instagram users.
These stories are even more important considering the sheer volume of data leakages exposed by journalists investigating Facebook. Remember that Facebook is the owner of Instagram. The irresponsibility and seeming nonchalant attitude of the company in regards to these issues are quite concerning. Facebook needs to step up its game and react to such issues quicker.
The Amazon database was taken down by Chtrbox when Facebook started its investigation.