Instagram API flaw affects more than just celebrities, Facebook-owned site admits
Instagram has confirmed an API flaw exposed the personal information of millions of its users – not just verified accounts as was first reported.
Last week it emerged the telephone numbers and email addresses of ‘high-profile Instagram users’ had been exposed, but thankfully no passwords.
The photo-sharing app did not name the celebrities whose details have been compromised, but it did say it is conducting a ‘thorough investigation’ into the matter and was contacting those involved.
However it is now telling normal users that their details could also have been compromised.
“We care deeply about the safety and security of the Instagram community, so we want to let you know that we recently discovered a bug on Instagram that could be used to access some people’s email address and phone number even if they were not public,” said Mike Krieger, Instagram CTO. “No passwords or other Instagram activity was revealed.
“We quickly fixed the bug, and have been working with law enforcement on the matter. Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.”
Krieger said users should be “vigilant” about the security of their account and be cautious if they see anything suspicious such as unrecognised calls, texts or emails. These could be used to stage phishing scams or social engineering. Additionally, it requests that any unusual activity is reported.
“Protecting the community has been important at Instagram from day one, and we’re constantly working to make Instagram a safer place. We are very sorry this happened,” added Kreiger.
Instagram has had a number of security scares in recent years.
In June ESET researchers warned that Russian hackers behind the Turla trojan package had started using Instagram as a means of staying hidden once they have infected a target network.
And last August security firm ZeroFOX warned a huge number of financial scamswere targeting Instagram account holders. Symantec had also warned that hacked Instagram profiles were being altered with pornographic imagery promoting adult dating and porn spam.
All those happened despite Instagram already being under pressure to ramp up its security following a number of high-profile incidents in 2015, including one where the account of pop star Taylor Swift was hijacked by Lizard Squad hackers.
In February 2016 the photo-sharing service added two-factor authentication (2FA) to its service, which meant users could choose to have two forms of identification verified before accessing their account. Instagram was acquired by Facebook back in 2012.