Skip to main content

Millions of Instagram influencers reportedly had private data exposed online

Tens of millions of Instagram influencers have reportedly had their private data exposed in an online database. The records were hosted by Amazon Web Services and apparently had no password protection.

The database contained information such as phone numbers and email addresses for around 49 million Instagram influencers, celebrities, and brand accounts, according to a TechCrunch report on Monday, May 20. It also listed public data such as profile pictures and user locations.

After receiving an alert from cybersecurity researcher Anurag Sen, TechCrunch examined the records and traced the database to Chtrbox, a social media marketing company based in Mumbai, India. Chtrbox pays influencers to place sponsored content on their Instagram accounts. In addition, each Instagram account in the database reportedly showed an estimated worth, calculated by analyzing information such as the number of followers, as well as the number of likes and shares associated with different posts. This helped Chtrbox to arrive at a figure for paying an influencer.

Once it had been made aware of the security breach, Chtrbox took the database offline.

In a statement, Instagram said it’s investigating the issue “to understand if the data described — including email and phone numbers — was from Instagram or from other sources.” It added that it’s also in contact with Chtrbox “to understand where this data came from and how it became publicly available.”

In its terms of service, Instagram bans the practice of gathering data from users en masse, saying: “You must not crawl, scrape, or otherwise cache any content from Instagram including but not limited to user profiles and photos.”

Large databases like this offer rich pickings for hackers working to build up profiles of potential targets, and in this case provided a quick and easy way to find out the worth of particular influencers.

While there’s no suggestion that Instagram is at fault in this latest security hiccup, the Facebook-owned company has in the past caused consternation among its influencer community regarding such matters. In 2017, for example, a software bug gave hackers access to personal data for a number of high-profile Instagram users.

And last year, Instagram’s Download Your Data tool was discovered to have had a security flaw that leaked passwords in plain text, an issue that potentially affected not just influencers but Instagram’s entire community of more than one billion people. However, the company said that ultimately only a relatively small number of people used the tool before the bug was squashed, adding that it contacted all those affected.

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
Ikea’s latest ad campaign features a CGI influencer
ikeas latest ad campaign features a cgi influencer imma ikea

Ikea tapped an unusual influencer for its latest ad campaign — a CGI model. 

The Japan ad campaign called Happiness At Home With Imma features a CGI Instagram “influencer” known as Imma, who has over 263,000 followers on Instagram.

Read more
Instagram kept pictures and private DMs long after users deleted them
instagram profile

Instagram’s delete buttons may not have functioned as you intended them to in the last year. Independent security researcher Saugat Pokharel discovered that Instagram (via TechCrunch) kept copies of deleted pictures and private direct messages on its servers, even after someone removed them from their account.

Last year, when Pokharel downloaded an archive of his Instagram account’s data, he found that the file also contained images and messages he had deleted more than a year earlier -- suggesting that while these pictures weren’t visible on his profile, they were still present on Instagram parent Facebook’s servers.

Read more
Seven VPN apps accused of exposing more than a terabyte of private data
Man holding phone running VPN to browse anonymously.

A group of free VPN apps reportedly exposed a treasure trove of private data of millions of users. Discovered by vpnMentor, a total of seven VPN providers, all of which explicitly claimed they didn’t record their users' activities, left more than a terabyte of browsing logs out in the open for anyone to access.

The leaked data silo housed a wide range of sensitive data, some of which was personally identifiable too. VpnMentor claims it included records of the websites users visited, plain-text passwords, PayPal payment information, device specifications, email addresses, and more.

Read more