A security researcher says he found a flaw in the Instagram website that allowed thousands of users’ email addresses and phone numbers to be exposed online for several weeks.
David Stier, a data scientist and business consultant, told CNET the website’s source code for some Instagram user profiles revealed the users’ contact information when loaded into a browser.
The contact information wasn’t displayed on the account holder’s profile on the desktop version of the Instagram site, however it was used by the photo sharing site’s app for communication. It isn’t clear why the information was included in the website’s source code.
The leaked information came from thousands of accounts, including those held by private users, including minors, as well as brands and businesses. Stier says he alerted Instagram to the issue back in February, and the Facebook-owned photo-focused social platform issued a patch for the flaw in March.
Stier says the details included in the source code could have made it easy for hackers to easily scrape the data from the website and use it compile a database of the contact info for thousands of Instagram users.
It is possible that a similar data scrape may have already occurred, as on Monday it was revealed that a database containing contact info for millions of Instagram celebrities, influencers and brands had been leaked online.
Public Instagram data was included in the leak, including profile picture, biography, and follower numbers, and also included private contact information such as phone numbers and email addresses.
The database was traced back to Mumbai-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts. The records included the calculated “worth” of each account based on follower count, engagement, reach, likes, and shares. The information was used as a metric to determine how much the company could pay an Instagram celebrity or influencer to post an ad.
Instagram parent firm Facebook says it is looking into the issue and aiming to determine whether the data was from Instagram or other sources.