Breach Notification , Data Loss Prevention (DLP) , Governance & Risk Management
Instagram Warns Hack More Widespread Than Expected
Darknet Database Markets 6 Million Stolen Email Addresses or Phone NumbersInstagram is warning that more users were affected by a hack of its systems than it first suspected.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
The popular social media app - owned by Facebook - first warned Wednesday that a hack attack appeared to have compromised some accounts of "high-profile users." It said an unspecified number of email addresses and phone numbers were stolen due to attackers "exploiting a bug in the Instagram API."
But on Friday, Instagram warned that the hack had affected more than just "high-profile users."
The API bug has been expunged. "We quickly fixed the bug, and have been working with law enforcement on the matter," Instagram CTO Mike Krieger said in a Friday blog post.
Instagram, however, says it does not know exactly how many of its 700 million monthly users may have had their personal details stolen or accounts hacked. "Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts," Krieger says.
But its estimate might be based on a darknet site that claims to be offering email addresses, and in some cases also phone numbers, tied to 6 million Instagram accounts.
British cybersecurity firm RepKnight reports that email addresses and phone numbers associated with hacked Instagram accounts - including for 500 celebrities - are now being offered for sale on darknet sites. But it's unclear whether all of those credentials are legitimate, or if scammers might also be at work.
Hedge: 'Abundance of Caution'
As a result of not knowing who may have been affected by the breach, Instagram has had to issue a general alert to all users. While it says it's doing so "out of an abundance of caution," such language is typically code for an organization having been breached, but not being able to identify how bad the breach may have been or who was affected.
"We encourage you to be vigilant about the security of your account, and exercise caution if you observe any suspicious activity such as unrecognized incoming calls, texts or emails," Instagram CTO Krieger said. "Additionally, we're encouraging you to report any unusual activity through our reporting tools."
High-Profile Users Alerted First
Instagram first sounded an alert over the API hack Wednesday in a message to all verified users, which are account badges granted to any "public figure, celebrity or global brand" that's at high risk of being targeted by a hacker, and which requests such an account.
The warning said that "one or more individuals obtained unlawful access to a number of high-profile Instagram users' accounts," according to a copy of the alert posted by American actor Gregory Michael. Instagram's alert followed a Wednesday post to a bitcoin forum advertising an Instagram "lookup service" for $10 per record, with discounts offered for "bulk deals."
Instagram got hacked, and they just sent this e-mail to me. Just fantastic... my cell phone number compromised. #instagramhack pic.twitter.com/OkFzFP1pIw
— Gregory Michael (@GregoryMichael) August 30, 2017
Instagram's alert to high-profile users also urged them to take further security steps. "To make your account more secure, ensure two-factor authentication is enabled and pick a strong, unique password and keep it safe," Instagram says in the alert.
While Instagram urged verified account holders to activate two-factor authentication, it did not issue the same recommendation to its user base at large.
Doxagram Database Markets Stolen Details
Instagram says that stolen account details have already surfaced online, via a searchable darknet database called Doxagram, which claims to have credentials for 6 million users, which it's offering for sale for $10 per account.
Contact your most loved celebrities by phone or email. ONLY $10.
— DoxAGram (@doxagram_insta) September 4, 2017
RepKnight says compromised accounts being offered for sale tie to actors Emma Watson, Emilia Clarke and Leonardo Di Caprio; musicians Harry Styles, Ellie Goulding, Beyoncé, Lady Gaga and Taylor Swift; and sports figures Floyd Mayweather, David Beckham and Ronaldinho, among others. It adds that accounts operated by numerous brands and high-profile organizations - including Adidas, Chanel, NASA and Nike - are also being offered for sale.
Short of paying $10 to access each account that's for sale and calling every phone number to see who answered, RepKnight said that it was not possible to confirm whether every one of the advertised account credentials might be legitimate.
Tied to Gomez Account Hack?
Instagram couldn't be immediately reached for comment on whether last week's reported hack of the world's most-followed Instagram account, belonging to U.S. pop star Selena Gomez - who counts 126 million followers - was related to the flaw.
As Variety reported, the hack came to light after nude pictures of her ex-boyfriend, Canadian singer Justin Bieber, were posted to her account. The account was briefly taken offline and the photos - which first surfaced in 2015, Variety reports - were expunged and the account quickly restored.
Meanwhile, Instagram has apologized for the breach. "Protecting the community has been important at Instagram from day one, and we're constantly working to make Instagram a safer place," Krieger said. "We are very sorry this happened.