The personal details of millions of Instagram users, including brands, celebrities and other online influencers, have been exposed on a public database, it has been revealed.
The information cache was discovered on a publicly-accessible database hosted by Amazon Web Services and was not password protected, allowing anyone who came across it to access the details of over 49 million records.
According to TechCrunch, which first reported the breach, information scraped from public Instagram accounts was contained in the database, including bios, profile pictures, the number of followers they have, if they’re verified and their location by city and country.
However, it also contained private contact information, such as the Instagram account owner’s email address and phone number.
The database itself was not managed by Instagram, but instead was traced back to an Indian marketing firm called Chtrbox, which pays online influencers to post sponsored content on their accounts.
After being contacted by TechCrunch, the firm took the database offline, but it did not respond to questions about how it had obtained private Instagram account email addresses and phone numbers.
Some of the individuals on the database confirmed the contact details were genuine when contacted by TechCrunch, but stated they had no connection with Chtrbox
Instagram’s owner Facebook said: “We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources. We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available.”
The breach may highlight how vulnerable many people’s personal details are when they are stored publicly online, leaving them exposed to data-harvesting tools that can collate large amounts of information for use by third parties.
It also illustrates the risks posed if firms do not take adequate care of the data they possess, regardless of how it was obtained. In this case, it seems files stored on the cloud lacked basic access management protections that would have restricted who could view this highly sensitive personally identifiable information.