Instagram user information exposed on misconfigured AWS instance
In yet another case of a misconfigured Amazon Web Services Inc. instance, a database with records of more than 49 million Instagram users, including so-called “influencers,” has been found online exposed to all and sundry.
The database, discovered by a security researcher and first reported by TechCrunch, included bio, profile picture, the number of followers the Instagram user has, whether they’re verified and their location by city and country. Other data included private contact information, in particular email address and phone number as well as an estimated worth of each account based on the number of followers, engagement, reach, likes and shares.
Much of the data was allegedly scraped from Instagram accounts, meaning that it was, in theory, publicly available. But the format in which it was found makes it far simpler for hackers and other malicious actors to target those on the database.
The database was tracked back to a Mumbai-based social media marketing firm Chtrbox, which is said to pay influencers to post sponsored content on their accounts. According to its website, Chtrbox is “an influencer marketing tool with a large community of Instagram influencers and digital content creators that collaborate for branded storytelling on social media.” The company is primarily but not exclusively focused on India.
The database has since been pulled offline. It’s not known if bad actors may have accessed or downloaded the database, but in theory they certainly could have.
Pankaj Parekh, chief product and strategy officer at SecurityFirst Corp., suggested to SiliconANGLE that perhaps the data wasn’t scraped and Chtrbox potentially stole data from Instagram.
“This breach is really two breaches,” he said. “How did Chtrbox get access to the private data of millions of Instagram users? It might have been a known API exposure in Instagram – the investigation is ongoing. And why didn’t Chtrbox secure the data that they posted on AWS? Cloud-based storage needs to be secured – technology to secure data in the cloud is available. Both Chtrbox and Instagram took a light approach to securing personal data, and both should be penalized.”
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.