A hack believed to target only celebrity accounts on Instagram has also accessed millions of users’ private data, says ESET South Africa.
The warning comes just days after singer, Selena Gomez, appeared to be one of the first celebrity accounts to have been compromised after hackers used a bug in the application programming interface (API), to access phone numbers and email addresses.
Originally believed to have focused solely on gaining access to A-lister accounts, it was revealed that almost six million Instagram accounts might also had private information stolen.
The news that “regular” accounts were targeted is a further concern for the social media giant after they had assured everyone on 30 August that it was only celebs that were targeted.
The hackers, who are calling themselves Doxagram, have created an online database on the dark web that is accessible for cybercriminals. The group claim that “it is only $10 (price of two cups of coffee) for celebrity contact info”.
This news prompted Instagram CTO, Mike Krieger, to release a statement confirming the scale of the breach: “We care deeply about the safety and security of the Instagram community, so we want to let you know that we recently discovered a bug on Instagram that could be used to access some people’s email address and phone number even if they were not public”.
Instagram had originally claimed that only a “low percentage” of accounts were affected, but the hackers quickly refuted this claim, forcing the Facebook owned company to advise users how to protect themselves from such an attack. “Additionally, we’re encouraging you to report any unusual activity through our reporting tools,” Instagram says.
It is believed that an official account for the president of the US, run by the White House social media team, was also among the six million Instagram accounts affected by the hack.
It’s not the first time Instagram is in the news for security issues, last time though it was used by cybercriminals to build URL paths for C&C administration, but there was no hack and probably did not impact upon millions of users like this attack.