On May 20, TechCrunch reported an Amazon Web Services database containing records on millions of Instagram members was left exposed. Security researcher Anurag Sen discovered the massive data reservoir and found it could be accessed without a password. Additionally, the publication learned the sprawling index contained information on 49 million Instagram users in total, including several celebrities and high-profile influencers.
The Company Behind The Data Leak
Unable to determine the owner of the database, Sen turned to TechCrunch for help. The firm subsequently used its resources to discover Chtrbox, an Indian marketing company, established the index.
During its investigation, the publication noted the agency maintained unusually robust records. Furthermore, its database featured Instagram influencer usernames, profile pictures, location data, email addresses, and phone numbers.
The site also noted Chtrbox’s database contained an estimated worth for each Instagram user account. Each of the firm’s records detailed users’ follower count, reach, and the engagement rates of their content. Apparently, the company used its records to determine how much to pay individual influencers for sponsored posts.
TechCrunch reached out to several users whose records were in the index. The unnamed influencers confirmed Chtrbox had access to their legitimate contact information. However, the site found none of the people it contacted had business relationships with the Mumbai-based agency.
After verifying the legitimacy of the database, the outlet contacted Chtrbox regarding its insecure index. In response, the firm took down its cloud-based information reservoir but refused to answer any questions.
Based on the size and detail of the insecure database, the marketing company most likely created it by exploiting a vulnerability in Instagram’s application programming interface (API). In 2017, hackers used a bug in the social media company’s security API to harvest data on 6 million Instagram users. Unfortunately, cybercriminals responsible for the breach later sold their information on the dark web.
Facebook noted it would investigate the data leak and how Chtrbox came to acquire its subsidiary’s records. The social media giant has recently struggled with API problems.
In 2016, political consulting firm Cambridge Analytica used Facebook’s development API to harvest data on millions of users without authorization. The company’s misuse of the tool later caused a slew of problems for the world’s biggest social media corporation.
Government officials, privacy advocates, individual users, and one of its founders have criticized Facebook for its lax data security. The Federal Trade Commission (FTC) is preparing to issue a multibillion-dollar fine against the platform for its privacy protection failures.
As the tech industry has faced increased public scrutiny in recent months, regulators have become more active in policing the industry. In March, Sen. Elizabeth Warren called for Amazon, Facebook, and Google to be dismantled because of their size and unethical business practices. The same month, the FTC launched an investigation into AT&T, T-Mobile, and Verizon for selling user location data.
Overall, Washington’s recent shift in priorities could have severe consequences for Facebook. If hackers accessed millions of user accounts through Instagram’s API a second time, the company might face an investigation for its data practices. Additionally, Facebook critics could argue the conglomerate’s inability to provide its subsidiaries with adequate data protection supports the notion it should be broken up.