Six million Instagram accounts have been exposed online after hackers created a dark web database of personal information, revealing private phone numbers and email addresses.
The scale of the hack on the photo-sharing site emerged after the Instagram account of singer Selena Gomez was compromised last week. UK security researchers discovered hundreds of contact details on the dark web of celebrities including Emma Watson, Taylor Swift and Harry Styles.
In addition to leaking the details of hundreds of A-listers, hackers created an online database where cyber criminals could access private user details for $10 per search.
Instagram initially said a “low percentage” of accounts had been affected, although the hackers claim they have details on as many as six million users, the Daily Beast reported.
Instagram has since responded with its advice on how to protect accounts and report suspicious activity.
The hackers, claiming to be Russian and calling themselves “Doxagram”, advertised the account details on online forums with links to the dark web, claiming “it is only $10 (price of 2 cups of coffee) for celebrity contact info”.
One website linked to the hack has since been taken down, with Facebook, which owns Instagram, purchasing domain names used by the hackers to take them offline.
An official Instagram account for the President of the United States of America, run by the White House social media team, was also reported to be among the exposed details.
“We quickly fixed the bug, and have been working with law enforcement on the matter,” said Instagram co-founder Mike Krieger. He added account passwords had not been exposed by the security flaw.
UK cybersecurity company RepKnight identified 500 celebrity accounts that had been compromised by the hack.
“While Instagram has now fixed the bug that lead to the leak, the cat is out of the bag now, and those affected will have to take extra care to maintain their privacy,” said RepKnight analyst Patrick Martin.
How was the data stolen?
The potential vulnerability on Instagram was found by researchers at Kaspersky Labs and reported to Facebook.
A flaw in the password reset option in the Instagram mobile app exposed mobile phone numbers and email addresses, but not passwords. The simple attack involved sending a request for a password reset to an account and intercepting the private phone and email details sent in response to the security query.
The vulnerability existed in a 2016 version of Instagram, meaning those with up-to-date accounts should be safe.
How to protect yourself on Instagram
Instagram has since offered its official advice on what to do if your account has been affected. Instagram said users should exercise additional caution if they receive any calls or emails from unknown or suspicious sources.
“Additionally, we’re encouraging you to report any unusual activity through our reporting tools,” Instagram said. “You can access those tools by tapping the “…” menu from your profile, selecting ‘Report a Problem’ and then ‘Spam or Abuse.'”
Instagram has a page which offers users advice on how best to keep their account protected and what to do if they think an account has been hacked. Users should change their password or send themselves a password reset email if they think they have been affected.
It also suggests users turn on two-factor authentication on their accounts for added protection.
How to turn on two-factor protection on Instagram
- Go to the settings tab in the top right corner of your profile
- Scroll down and select “two-factor authentication”
- Tap “require security code”
- You will then need to add a phone number to your account
- After this a code will be sent to your phone every time you try to log into your account
While this can keep an account safe from hackers, the information taken from Instagram included phone numbers, showing not all data is safe when stored online, even if it is kept private.