A massive database containing contact information of millions of Instagram influencers, celebrities and brand accounts has been found online.
The database,
hosted by Amazon web Services,
was left exposed and without a password allowing anyone to
look inside. At the time of writing, the database had over 49 million records — however was growing by the hour.
From a short review of the info, each record
contained public information scraped
from influencer Instagram accounts, as well as their bio, profile image, the number of
followers they have, if
they’re verified and their location by city and country, but also contained
their personal contact information, such as the Instagram account
owner’s email address and telephone
number.
Security researcher Anurag Sen discovered the database and alerted TechCrunch in an effort to find the owner and get the database secured. We traced the database back to Mumbai-based
social media marketing firm
Chtrbox, which pays
influencers to post sponsored content on their accounts. The records
contained information that
calculated the worth of each account, based off the number of followers,
engagement, reach, likes and shares they had. This was used as a metric to determine how much the company could pay an Instagram celebrity or
influencer to post an ad.
TechCrunch found several high-profile influencers in the exposed database, including prominent food bloggers, celebrities and other social media influencers.
We contacted several people at random whose information was found in the database and provided them their phone numbers. 2 of the people responded and confirmed
their email address and telephone
number found in the database was used to set up their Instagram accounts. Neither had any involvement
with Chtrbox, they said.
Shortly after we reached
out, Chtrbox pulled the database offline. Pranay Swarup,
the company’s founder and chief executive, didn’t respond to a request for
comment and several questions, including how the corporate obtained
personal Instagram account email addresses and phone numbers. Later in a tweet, Chtrbox disputed the number of people affected
and claimed no more than 350,000
influencers were affected.
Chtrbox also said database was only open for 72 hours; however the researcher confirmed the database was first detected on Shodan, a search engine for exposed databases and devices, on May 14.
The scraping effort comes 2 years after Instagram admitted a security
bug in its developer API allowed hackers to obtain the e-mail addresses
and phone numbers of six million Instagram accounts. The hackers later sold out the information for bitcoin.
Months later, Instagram — now with more than a billion users — choked its API to limit the number of requests apps and
developers can make on the platform.
Facebook, which owns Instagram, later said it disputed the
report.
“We take any allegation of information misuse seriously.
Following an initial
investigation into the claims made in this story, we found that no private emails or phone numbers
of Instagram users were accessed,” said an Instagram spokesperson. “Chtrbox’s database had publicly available information from many sources, one
of which was
Instagram. Chtrbox also clarified that the database contained information
for 350,000 people, not 49 million
as has been reported,”
“We’re looking into the
problem to understand if the information described – as well as email and phone
numbers – was from Instagram or from other sources,” said an updated statement.
“We’re also inquiring
with Chtrbox to understand where this information came from and how it became publicly accessible,” it added.