Instagram influencers, including renowned bloggers, brand ambassadors and celebrities, woke up Monday to news that a massive database exposure made contact information and other data available online.
The discovery was made by security researcher Anurag Sen, who found the Amazon Web Services-hosted database was left online without password protection.
The vulnerable information included bio, profile picture, number of followers for verified accounts, city and contact details, such as e-mail address and phone number.
For help in finding the database owner and securing the data, Sen contacted tech blog TechCrunch. According to the site, the database — which, it reported, held more than 49 million records at the time — is owned by Chtrbox, a Mumbai-based influencer marketing firm. Chtrbox apparently valued and paid influencers according to a score based on number of followers, engagement, reach, likes and shares. The metric was among the information exposed.
However, at least some of the records belonged to Instagram users who had no relationship with Chtrbox.
Exactly who and how many people were affected has not been disclosed at this time. [Update: According to Chtrbox, the issue affected 350,000 influencers. See below.] In the face of the startling discovery, the firm yanked the database offline.
WWD reached out to Chtrbox and Instagram. The marketing firm did not immediately respond, while an Instagram representative offered a cautious and measured statement. The Facebook-owned, photo-sharing company says it is not even sure that the information came from the platform, but it’s launching an investigation to find out.
“We’re looking into the issue to understand if the data described — including e-mail and phone numbers — was from Instagram or from other sources,” an Instagram spokeswoman informed WWD. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available.”
This is not the first time Instagram personalities have dealt with such issues. Two years ago, hackers exploited a security hole in Instagram’s developer tools to access and post private photos and other information belonging to Selena Gomez, Justin Bieber and other celebrities. Instagram patched the hole, but not before the hackers sold the information for Bitcoins.
The previous hack compromised six million Instagram accounts, but the current matter seemingly dwarfs the previous incident in scale.
Instagram swells with more than a billion users, and the platform — along with others, including rivals Snapchat and YouTube — has become a critical pipeline between brands, influencers and consumers. According to the Sprout Social 2019 Index, released Monday, 90 percent of social marketers believe that investing in social media has a direct impact on their business revenue, and 63 percent of practitioners believe social listening will be even more important this year.
Part of the momentum might relate to the growing category of social commerce. Instagram has been steadily developing shopping features, most recently allowing users to transact directly through influencer posts.
A Chtrbox representative responded to WWD’s inquiry with the following statement:
“The reports on a leak of private data are inaccurate. A particular database for limited influencers was inadvertently exposed for approximately 72 hours. This database did not include any sensitive personal data and only contained information available from the public domain, or self reported by influencers,” the statement read.
“We would also like to affirm that no personal data has been sourced through unethical means by Chtrbox,” it continued. “Our database is for internal research use only, we have never sold individual data or our database, and we have never purchased hacked-data resulting from social media platform breaches. Our use of our database is limited to help our team connect with the right influencers to support influencers to monetize their online presence, and help brands create great content.”
Via Twitter, Chtrbox claimed that its database snafu involved only 350,000 users, which would narrow the scale of the exposure quite a bit. However, it didn’t specify how its system identifies and sorts data or if it attributes multiple records to a single identity. And while the reply attempts to minimize the incident, it did not explain how the database was exposed in the first place.
On Instagram’s end, a spokeswoman followed up with a bit more clarification via email:
“We take any allegation of data misuse seriously. Following an initial investigation into the claims made in [the TechCrunch] story, we found that no private emails or phone numbers of Instagram users were accessed,” she wrote. “Chtrbox’s database had publicly available information from many sources, one of which was Instagram.”
After investigating the matter, Instagram confirmed that the phone numbers and email addresses didn’t come from its developer tools. Numbers of likes, however, are publicly available information.
Ultimately, both Instagram and Chtrbox strongly deny that any data scraping took place. Typically, scraping involves setting up systems or protocols that grab unauthorized information through backdoors or illicit techniques. Such behavior not only makes the culprit look bad, but also the network for not securing its platform.
In this case, Chtrbox seems to have collected the information directly from the influencers, from their Instagram bios or through research. That doesn’t rise to the level of scraping data. But it’s still problematic.
Turns out, the act of copying info from user bios violates Instagram’s policy. As a result, the platform revoked Chtrbox’s access.