Breach Notification , Data Loss Prevention (DLP) , Governance & Risk Management

Instagram Warns Hack More Widespread Than Expected

Darknet Database Markets 6 Million Stolen Email Addresses or Phone Numbers
Instagram Warns Hack More Widespread Than Expected
Photo: Perzonseo Webbyra (Flickr/CC)

Instagram is warning that more users were affected by a hack of its systems than it first suspected.

See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR

The popular social media app - owned by Facebook - first warned Wednesday that a hack attack appeared to have compromised some accounts of "high-profile users." It said an unspecified number of email addresses and phone numbers were stolen due to attackers "exploiting a bug in the Instagram API."

But on Friday, Instagram warned that the hack had affected more than just "high-profile users."

The email address - but not phone number - tied to the Instagram account for pop star Miley Cyrus is being offered for sale via Doxagram. (Source: RepKnight)

The API bug has been expunged. "We quickly fixed the bug, and have been working with law enforcement on the matter," Instagram CTO Mike Krieger said in a Friday blog post.

Instagram, however, says it does not know exactly how many of its 700 million monthly users may have had their personal details stolen or accounts hacked. "Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts," Krieger says.

But its estimate might be based on a darknet site that claims to be offering email addresses, and in some cases also phone numbers, tied to 6 million Instagram accounts.

British cybersecurity firm RepKnight reports that email addresses and phone numbers associated with hacked Instagram accounts - including for 500 celebrities - are now being offered for sale on darknet sites. But it's unclear whether all of those credentials are legitimate, or if scammers might also be at work.

Hedge: 'Abundance of Caution'

As a result of not knowing who may have been affected by the breach, Instagram has had to issue a general alert to all users. While it says it's doing so "out of an abundance of caution," such language is typically code for an organization having been breached, but not being able to identify how bad the breach may have been or who was affected.

"We encourage you to be vigilant about the security of your account, and exercise caution if you observe any suspicious activity such as unrecognized incoming calls, texts or emails," Instagram CTO Krieger said. "Additionally, we're encouraging you to report any unusual activity through our reporting tools."

High-Profile Users Alerted First

Instagram first sounded an alert over the API hack Wednesday in a message to all verified users, which are account badges granted to any "public figure, celebrity or global brand" that's at high risk of being targeted by a hacker, and which requests such an account.

The warning said that "one or more individuals obtained unlawful access to a number of high-profile Instagram users' accounts," according to a copy of the alert posted by American actor Gregory Michael. Instagram's alert followed a Wednesday post to a bitcoin forum advertising an Instagram "lookup service" for $10 per record, with discounts offered for "bulk deals."

Instagram's alert to high-profile users also urged them to take further security steps. "To make your account more secure, ensure two-factor authentication is enabled and pick a strong, unique password and keep it safe," Instagram says in the alert.

While Instagram urged verified account holders to activate two-factor authentication, it did not issue the same recommendation to its user base at large.

Doxagram Database Markets Stolen Details

Instagram says that stolen account details have already surfaced online, via a searchable darknet database called Doxagram, which claims to have credentials for 6 million users, which it's offering for sale for $10 per account.

RepKnight says compromised accounts being offered for sale tie to actors Emma Watson, Emilia Clarke and Leonardo Di Caprio; musicians Harry Styles, Ellie Goulding, Beyoncé, Lady Gaga and Taylor Swift; and sports figures Floyd Mayweather, David Beckham and Ronaldinho, among others. It adds that accounts operated by numerous brands and high-profile organizations - including Adidas, Chanel, NASA and Nike - are also being offered for sale.

Some of the email addresses and phone numbers tied to Instagram accounts that are being offered for sale via Doxagram. (Source: RepKnight)

Short of paying $10 to access each account that's for sale and calling every phone number to see who answered, RepKnight said that it was not possible to confirm whether every one of the advertised account credentials might be legitimate.

Tied to Gomez Account Hack?

Instagram couldn't be immediately reached for comment on whether last week's reported hack of the world's most-followed Instagram account, belonging to U.S. pop star Selena Gomez - who counts 126 million followers - was related to the flaw.

As Variety reported, the hack came to light after nude pictures of her ex-boyfriend, Canadian singer Justin Bieber, were posted to her account. The account was briefly taken offline and the photos - which first surfaced in 2015, Variety reports - were expunged and the account quickly restored.

Meanwhile, Instagram has apologized for the breach. "Protecting the community has been important at Instagram from day one, and we're constantly working to make Instagram a safer place," Krieger said. "We are very sorry this happened.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.