On Wednesday, Instagram announced it had fixed a bug that allowed hackers to learn users’ phone numbers and email addresses. But for thousands of people—including some of the massive social network’s most famous members—it may be too late.
Hackers have launched a website with a searchable database of some Instagram users’ alleged personal info. The data, a sample of which the hackers provided to The Daily Beast, appears to include email addresses and phone numbers for a selection of high profile Instagram users, including politicians, sports stars, and media companies. The data also seems to contain information on more ordinary accounts, too.
“Instagram clearly hasn’t yet understood the full impact of this bug,” one of the people behind the site, dubbed ‘Doxagram,’ told The Daily Beast.
The person provided a list of 1,000 alleged Instagram accounts. Each entry also included either an email address, a phone number, or both.
To verify the authenticity of the sample, The Daily Beast tried to create new accounts on Instagram with a random selection of email addresses from the list. In every case, the email address was already linked to an Instagram account.
Although the majority of the tested email addresses were also publicly available elsewhere on the internet, many did not return any relevant Google results, implying they were obtained from some private source. Many of the emails were also not included in large scale data breaches, such as LinkedIn, according to breach notification site Have I Been Pwned?, implying that the hackers may not have simply dug up records from previous, publicized security incidents.
At around the same time hackers were using this exploit, someone seemingly took over Selena Gomez’s account and posted naked photos of Justin Bieber earlier this week.
The Daily Beast reached out to a wide selection of users included in the latest sample. One reached by email confirmed their username; that this was the address they used for Instagram; and the fact that their account did not have any phone number linked to it, which matched the data.
Some of the accounts in the list are seemingly high profile. One entry is allegedly for the official President of the United States’ Instagram account. The Daily Beast confirmed that the listed email address, which appears to belong to Dan Scavino, the White House director of social media and assistant to the president, was linked to an Instagram account. The corresponding phone number rang, but no one returned calls, and an email failed to deliver to the address.
Another alleged account appears to belong to Cristiano Ronaldo, the world-famous soccer player. Again, The Daily Beast confirmed the address is linked to an Instagram account, and the email address itself is not publicly available, according to Google searches. Whoever controls the email account did not respond to a request for comment.
The Doxagram site itself also appears to function, with The Daily Beast successfully looking up alleged details for the popular National Geographic account, pop star Jennifer Lopez, and several other celebrities. According to The Daily Beast’s tests, Doxagram allegedly includes data on many of the top 50 most popular accounts on Instagram.
As for why the database contains high profile users, the hackers claimed they set up their scraper to initially target all users with over 1 million followers, and then recursively harvest other users. In all, the hackers claim to have over 6 million accounts in their database. However, The Daily Beast has not seen the full alleged list of users.
At the time of writing, the hackers are charging $10 per search. The site accepts payments in the pseudo-anonymous currency bitcoin.
Asked whether they were concerned how people may end up using their service, the person from the Doxagram site who provided the data sample told The Daily Beast, “not really.”
An Instagram spokesperson declined to talk on the record about this latest incident. The spokesperson provided the same statement as issued yesterday.
“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information—specifically email address and phone number—by exploiting a bug in an Instagram API. No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation,” it read.
“Our main concern is for the safety and security of our community. At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue,” the statement added. “As always, we encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails.”