Fraud Management & Cybercrime , Governance & Risk Management , Social Media
Instagram Bans Social Media Company After Data ExposureLeak Contained Public Data From Instagram and Other Sources
Instagram has revoked the access of an Indian social media marketing company following an investigation into how the personal details of some of its users ended up in an unprotected database online.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Instagram, which is owned by Facebook, says that a deeper investigation shows that the number of affected users - first reported at 49 million - is inaccurate, and that the data which was exposed had already been set as public by Instagram users. The database also contained a mishmash of personal data from other sources, Instagram says.
The Indian company, Mumbai-based Chtrbox, could not be immediately reached for comment. Chtrbox links companies with so-called Instagram "influencers" for product promotions.
Instagram says: "We found no evidence of a vulnerability that would have allowed private contact information to be obtained, scraped or otherwise from Instagram."
As first reported by TechCrunch, Chtrbox left a database online that appeared to contain profile data for 49 million Instagram users, including their email addresses and phone numbers, and other data that was initially not believed to be public (see Database May Have Exposed Instagram Data for 49 Million).
The database - which was hosted on Amazon Web Services and not password protected - was discovered by a security researcher, Anurag Sen. Sen alerted TechCrunch, which traced the database to Chtrbox. It was soon taken offline.
"Following an initial investigation into the claims made in this story, we found that no private emails or phone numbers of Instagram users were accessed. Chtrbox's database had publicly available information from many sources, one of which was Instagram."
In an initial statement, Chtrbox contested parts of the report, saying the database did not contain private data and that it had been collected from public sources or had been self-reported by users. It also maintained "that no personal data has been sourced through unethical means by Chtrbox."
"Our database is for internal research use only, we have never sold individual data or our database, and we have never purchased hacked-data resulting from social media platform breaches," Chtrbox said. "Our use of our database is limited to help our team connect with the right influencers to support influencers to monetize their online presence, and help brands create great content."
Chtrbox said the database was only exposed for 72 hours. However, Sen says it was indexed by the Shodan search engine on May 14, which made the exposure period longer than three days.
Only 350,000 Records
Instagram says that "following an initial investigation into the claims made in this story, we found that no private emails or phone numbers of Instagram users were accessed. Chtrbox's database had publicly available information from many sources, one of which was Instagram."
The database apparently only had 350,000 records, according to Instagram. Chtrbox collected data of Instagram users and data from other online sources, such as offline marketing efforts and in-person ones, Instagram says.
Nonetheless, Chtrbox's scraping of public information from profiles violates Instagram's platform policies, hence the ban.
TechCrunch reported it found within the database contact information for celebrities, food bloggers and other social influencers, among others. The database also contained figures estimating how much each account was worth based on metrics such as the number of followers, likes, shares and engagement, it reported.