A massive database containing contact information of millions of Instagram influencers, celebrities and brand accounts has been found online. The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records — but was growing by the hour.
From a brief review of the data, each record contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified and their location by city and country, but also contained their private contact information, such as the Instagram account owner’s email address and phone number.
TechCrunch traced the database back to Mumbai-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts. Each record in the database contained a record that calculated the worth of each account, based off the number of followers, engagement, reach, likes and shares they had. This was used as a metric to determine how much the company could pay an Instagram celebrity or influencer to post an ad.
Instagram says it is trying to find out how contact details of almost 50 million of its users were stored online in an unguarded database. https://t.co/FfZUi1Ao49
— Jarvis Media Group (@jarvismediainc) May 21, 2019
Colin Bastable, CEO at Lucy Security:
“Facebook, which owns Instagram, said it was looking into the matter.
Alternatively, as the old gag goes – “Facebook has been advised of yet another security hole. Mark Zuckerberg is looking into it.”
Of course, it is no joke for the 49 million influencers, but anyone who entrusts their data to any part of the Facebook business must expect it to have a resale value.”
Martin Jartelius, CSO at Outpost24:
“The latest incident affecting Instagram seems to be a supply chain security issue, where one of the social media platform’s suppliers failed to apply security to a database of Instagram accounts. However, even though the incident didn’t happen within Instagram’s own network, it doesn’t make the company any less responsible.
When an organisation needs to outsource or run a partnership with a third-party, it is their responsibility to ensure it does not put their customer data at risk. They must understand how the data will be held and ensure the third-party’s security standards are equal to their own. In this case, it seems that Instagram failed to do this and, as a result, have put their customers’ data at risk.”
Kevin Gosschalk, CEO and Co-founder at Arkose Labs:
“Influencers, celebrities and brands carry a lot of clout on social media with their ability to impact their followers’ sentiments and actions. The recent exposure of records containing the private contact information for more than 49 million accounts, including Instagram influencers and celebrities, is a timely reminder of the deep responsibility a company has to protect the mass amount of data that it collects. It also represents yet another instance of a company failing to even use a password, which is a shocking phenomenon because it is the most basic form of security. Time is up – companies need to be proactively protecting their attack surface, especially online databases containing valuable customer records, to protect their digital ecosystems against damaging cyber attacks.”
Ameya Talwalkar, Co-founder and CPO at Cequence Security:
Very often, we find that some database accessible storing private, sensitive data in the application layer is accessible over the internet. In most cases, there is no inherent security built into these databases. That is because they are meant to be accessed by other services and applications in the application tier – post authentication.
There is a notion of explicit trust between the services/applications using these databases. In cases where these databases have some security/authentication support, it is usually not turned ON, in order to serve queries as fast as possible, based on the explicit trust model. As these application tiers are changing very rapidly due to fast dev-ops cycles, there is frequent change happening in that application tier. In some instances, these changes leave sensitive databases wide open for access from the public internet. These unintended exposures are due to errors in firewall policies, moving of security zones, moving of workloads and load balancing. Unfortunately, enterprises don’t discover such errors until after such a breach is widely reported on by media, and a lot of damage to users and to the brand has already resulted.
There have been are similar breaches in the past, such as the high profile one involving the USPS – httpshttps://techcrunch.com/2018/11/26/the-us-postal-service-exposed-data-of-60-million-users/://techcrunch.com/2018/11/26/the-us-postal-service-exposed-data-of-60-million-users/
How is this happening? The attackers are constantly scanning open/accessible servers/services on the internet. They are getting more focused on services that are hosted in the Public/Private cloud environments, where they know environments change frequently, which leads to higher probability of errors in security policies. When they discover such sensitive databases, they go after scraping as much data they can from them. That’s what happened to USPS in the past, and to Instagram influencers today.