Mumbai firm caught harvesting Instagram data in possible data breach

A database of around 50 million Instagram accounts has been found online by a security researcher, with a number of prominent influencers in the list. Researcher Anurag Sen discovered the database running on a publicly accessible Amazon AWS server with no password and raised the red flag about the suspicious nature of the data being collected.

 

Tech website TechCrunch investigated and found that the database was growing by the hour and seemed to contain information scraped from millions of users' public profiles such as their bios and profile pictures, but it didn't end there. The database also somehow contained users' private email addresses and phone numbers that were confirmed to be those used to register for Instagram, hinting at a potential data breach. 

 

Investigators were able to trace the database back to Mumbai-based social media marketers Chtrbox, a company that pays social media influences to promote sponsored content. In addition to scraping user data, Chtrbox appeared to have calculated a sort of social media capital value for each influencer in the list based on metrics such as follower count and social media reach on posts.

The database held data on around 50 million users when it was discovered and it was still growing, indicating that the company was still actively scraping data. That doesn't explain how they got their hands on private user data, though. One possibility is that they bought the private data from a black market source and were scraping public data to fill in the blanks and calculate their social value scores.

Instagram suffered a data breach two years ago when it was discovered that a bug in their API allowed hackers to obtain the email addresses and phone numbers of users. It's also possible that a new API exploit has been discovered or the data has been leaked from within Instagram. Facebook (which owns Instagram) said it is investigating where the data may have come from.