Instagram Says Bug Exposed Contact Information of High-Profile Users

Courtesy of Instagram

In an update on Friday, the company said some non-verified users may also have been impacted and that contact information obtained through the bug was now being sold.

Instagram has notified its users that a bug in its system affected more users than it initially realized. 

The Facebook-owned company said Friday that after additional analysis, it has determined that "a low percentage" of non-verified Instagram account holders were potentially impacted by a glitch that exposed phone numbers and email addresses of its users. Initially, Instagram believed that the bug had only impacted its verified account holders. 

CTO Mike Kreiger posted on the Instagram blog about the incident, encouraging users to "be vigilant about security of your account, and exercise caution if you observe any suspicious activity such as unrecognized incoming calls, texts, or emails." 

Instagram further indicated Friday that some people were now selling the contact information that they obtained through the bug. "We take people's security very seriously and are working closely with law enforcement on this matter," an Instagram spokeswoman said in a statement. 

According to The Daily Beast, the hackers had wet up a searchable database of contact information for about 1,0000 users. The site, called Doxagram, was charging $10 per search. The Verge is reporting that the site was offline on Friday afternoon. A U.K. based cybersecurity firm, RepKnight, says that it has found contact information for 500 actors, musicians and athletes — including Leonardo DiCaprio, Emma Watson, Beyonce, Taylor Swift and David Beckham — for sale on the dark web that it believes was the result of the Instagram breach.

On Aug. 30, Instagram began notifying its verified account holders that at least one person exploited a bug in its system to access contact information for its high-profile users. 

At the time, the company in a statement that it has already fixed the bug and would run an investigation into the matter. It further said that no account passwords were exposed in the breach, which allowed for email addresses and phone numbers to be accessed. 

"We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users' contact information — specifically email address and phone number — by exploiting a bug in an Instagram API," the statement reads. "No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation." 

It continues: "Our main concern is for the safety and security of our community. At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue. As always, we encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails." 

Instagram is still investigating the incident and is not disclosing which accounts may have been affected. The photo- and video-sharing app is popular with many actors, musicians and models. Selena Gomez is currently the most-followed on the platform with 125 million followers. Other top-Instagrammers who are verified by the app include Ariana Grande, Taylor Swift, Beyonce, Kim Kardashian and Justin Bieber.

Earlier this week, the account belonging to Gomez was hacked and posted nude photos of Bieber, her ex-boyfriend. The account is now back up and running. 

Sept. 1, 3:27 p.m. Updated with additional information regarding the breach, including new statements from Instagram.