UPDATED 22:23 EDT / MAY 20 2019


Instagram user information exposed on misconfigured AWS instance

In yet another case of a misconfigured Amazon Web Services Inc. instance, a database with records of more than 49 million Instagram users, including so-called “influencers,” has been found online exposed to all and sundry.

The database, discovered by a security researcher and first reported by TechCrunch, included bio, profile picture, the number of followers the Instagram user has, whether they’re verified and their location by city and country. Other data included private contact information, in particular email address and phone number as well as an estimated worth of each account based on the number of followers, engagement, reach, likes and shares.

Much of the data was allegedly scraped from Instagram accounts, meaning that it was, in theory, publicly available. But the format in which it was found makes it far simpler for hackers and other malicious actors to target those on the database.

The database was tracked back to a Mumbai-based social media marketing firm Chtrbox, which is said to pay influencers to post sponsored content on their accounts. According to its website, Chtrbox is “an influencer marketing tool with a large community of Instagram influencers and digital content creators that collaborate for branded storytelling on social media.” The company is primarily but not exclusively focused on India.

The database has since been pulled offline. It’s not known if bad actors may have accessed or downloaded the database, but in theory they certainly could have.

Pankaj Parekh, chief product and strategy officer at SecurityFirst Corp., suggested to SiliconANGLE that perhaps the data wasn’t scraped and Chtrbox potentially stole data from Instagram.

“This breach is really two breaches,” he said. “How did Chtrbox get access to the private data of millions of Instagram users? It might have been a known API exposure in Instagram – the investigation is ongoing. And why didn’t Chtrbox secure the data that they posted on AWS? Cloud-based storage needs to be secured – technology to secure data in the cloud is available. Both Chtrbox and Instagram took a light approach to securing personal data, and both should be penalized.”

Image: Chtrbox

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy