- An unprotected database belonging to a marketing firm has exposed millions of high-profile Instagram accounts.
- Among other things, the database entries contain the private personal contact details of each user.
- It is unclear how the company got this data in the first place, as most of the users never collaborated with them.
According to a TechCrunch report and based on the findings of a security researcher going by the name 'Anurag Sen,' an unprotected online database was found to contain the contact information of millions of Instagram influencers, celebrities, and other highly-popular accounts. The database is live, meaning that it is continuously updated and enriched - having more than 49 million records. Due to the massive amount of data, it is impossible to estimate the originals and duplicates, so the potential number of the affected people is unknown, but undoubtedly an astronomical figure.
The entries constitute of a short bio taken from Instagram, the profile picture, the number of followers, the location verification status, and the private contact information including the email address and phone numbers. Now, that’s where all the meat is for hackers who want to take over celebrity and influencer accounts, as knowing the email and phone number is the first step for breaking that 2FA protection nut. Apparently, the database belongs to a social media marketing firm called “Chtrbox”, based in Mumbai (India). They basically connect social media influencers and brands, run promotional campaigns on Instagram, and then pay the influencers upon the completion of the campaign.
Chtrbox has not issued an official response about the discovery of the unprotected database, neither on their website nor on any social media channel. However, upon getting notified about the issue, the company immediately secured the database. An interesting finding was that many of the influencers whose private contact information were to be found in the database never directly collaborated with Chtrbox, so the social media marketing company will now need to explain how they got their hands on that data, in the first place.
This story reminds us of the Octoly breach that exposed the data of 12,000 influencers back in February 2018. Octoly was engaged in a similar sector as Chtrbox, but the amount of data that was leaked was way smaller. The Indian company may have managed to gather all of that information without the exposed entities knowing about it by buying it on darknet forums, where millions of Instagram accounts are for sale. Instagram had admitted that a flaw in their API permitted the exfiltration of private contact details by hackers, and had it fixed only about a year ago.