Instagram API found leaking 'high-profile' email addresses and phone numbers

The Facebook-owned company says no passwords were leaked, but is warning users about suspicious calls and texts.
Written by Chris Duckett, Contributor

Instagram has alerted all its verified users of unlawful access to phone and email contact information for its "high-profile" users thanks to a buggy API.

The company said no passwords were accessed, it quickly fixed the bug, and is conducting an investigation into the incident.

"At this point we believe this effort was targeted at high-profile users," the photo-sharing site said in its alert. "We encourage you to be extra vigilant about the security of your account and exercise caution if you encounter any suspicious activity such as unrecognized incoming calls, texts, and emails."

"Your experience on Instagram is important to us, and we are sorry this happened."

In June, it was discovered a hacking group was controlling its malware via comments on Britney Spears' Instagram account.

A fake Firefox extension would search a specific Instagram post to work out where the malware command and control server was location, security researchers at Eset said.

"The extension uses a bit.ly URL to reach its [server], but the URL path is nowhere to be found in the extension code. In fact, it will obtain this path by using comments posted on a specific Instagram post," the researchers said.

"The extension will look at each photo's comment and will compute a custom hash value."

The same month, the Facebook-owned company was used, without its knowledge, as a recruiting tool to lure people into a bank fraud scheme.

Suspects posted bank photos to Instagram and sought people to "like" their posts. When people responded, they were asked to give away their account information in exchange for a cut of the money the suspects planned to steal from the banks.

Editorial standards