A new day, a new security scandal for Facebook. On this occasion, it affects his social photo network, Instagram.
“Instagram had a security problem in its API that allowed third-party apps to access users’ personal information.”
A security researcher named Anurag Sen has found a database in Amazon Web Services that housed, without any password or protection, personal data of at least 49 million people influential in the application.
Apparently, the data would have been collected using scrapping techniques and, among them, was the bio, profile image, number of followers they had, information on whether the profiles were verified or not, the city of residence and the country. Until then, everything is data that can be obtained publicly, but the problem is that it was also among that information other private data such as email addresses or personal phone numbers, those used to open their Instagram accounts.
Along with this information, there was also a numerical value that determined, based on the number of followers, scope, engagement, “I like”, shared … of each account, the price that a company could pay for a publication promoted on Instagram . That is, it is a database developed by an influencers agency that has been published in Amazon Web Services and has remained, it is unknown for how long, accessible to anyone.
As TechCrunch has learned, the database could belong to Chtrbox, a social media marketing company based in Mumbai (India), which manages paid publications on profiles of influencers. In fact, some of the names found in the database correspond to high-level users and millions of users on the platform. Singers, well-known bloggers and other influencers would be among the affected accounts.
After contacting Chtrbox, the database was removed from Amazon Web Services. The problem, however, is not in itself the agency, but how the company got that personal data with which users signed up for Instagram.
We must bear in mind that two years ago Instagram already admitted to a security problem in its API that allowed cyber criminals to obtain the email addresses and the telephone numbers of the users. Apparently, on that occasion 6 million accounts were compromised and the information was sold on the Internet in Bitcoins.
After that scandal, Instagram modified its API so that requests for large amounts of user information could not be made from third-party applications. It could be that the information of Chtrbox came from that sale, or that there had been more illegal accesses without Instagram had noticed the situation.