UPDATED 22:23 EDT / MAY 20 2019

SECURITY

Instagram user information exposed on misconfigured AWS instance

In yet another case of a misconfigured Amazon Web Services Inc. instance, a database with records of more than 49 million Instagram users, including so-called “influencers,” has been found online exposed to all and sundry.

The database, discovered by a security researcher and first reported by TechCrunch, included bio, profile picture, the number of followers the Instagram user has, whether they’re verified and their location by city and country. Other data included private contact information, in particular email address and phone number as well as an estimated worth of each account based on the number of followers, engagement, reach, likes and shares.

Much of the data was allegedly scraped from Instagram accounts, meaning that it was, in theory, publicly available. But the format in which it was found makes it far simpler for hackers and other malicious actors to target those on the database.

The database was tracked back to a Mumbai-based social media marketing firm Chtrbox, which is said to pay influencers to post sponsored content on their accounts. According to its website, Chtrbox is “an influencer marketing tool with a large community of Instagram influencers and digital content creators that collaborate for branded storytelling on social media.” The company is primarily but not exclusively focused on India.

The database has since been pulled offline. It’s not known if bad actors may have accessed or downloaded the database, but in theory they certainly could have.

Pankaj Parekh, chief product and strategy officer at SecurityFirst Corp., suggested to SiliconANGLE that perhaps the data wasn’t scraped and Chtrbox potentially stole data from Instagram.

“This breach is really two breaches,” he said. “How did Chtrbox get access to the private data of millions of Instagram users? It might have been a known API exposure in Instagram – the investigation is ongoing. And why didn’t Chtrbox secure the data that they posted on AWS? Cloud-based storage needs to be secured – technology to secure data in the cloud is available. Both Chtrbox and Instagram took a light approach to securing personal data, and both should be penalized.”

Image: Chtrbox

A message from John Furrier, co-founder of SiliconANGLE:

Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.

  • 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
  • 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.