Instagram API Flaw Reveals Celebrity Data

Instagram has admitted that a number of celebrities have had their contact details exposed by a flaw with their systems.

The telephone numbers and email addresses of ‘high-profile Instagram users’ have been exposed, but thankfully no passwords.

The photo-sharing app did not name the celebrities whose details have been compromised, but it did say it is conducting a ‘thorough investigation’ into the matter and was contacting those involved.

Celebrity Data

Instagram is used by many high profile celebrities including the likes of Selena Gomez, Taylor Swift, Kendall Jenner, Kim Kardashian West, Cristiano Ronaldo, and Dwayne “The Rock” Johnson.

Of course the most high profile celebrity hacking attack in recent years was the famous “Celebgate” iCloud hack in 2014 that resulted in naked photos of hollywood stars such stars like Jennifer Lawrence, Christina Hendricks and Anna Kendrick being posted online.

But other attacks have targetted celebrities since then, and now Instagram has added to the list with its admission this week.

“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information – specifically email address and phone number – by exploiting a bug in an Instagram API,” an Instagram spokesperson told Silicon UK in an emailed statement.

“No account passwords were exposed,” the spokesperson added. “We fixed the bug swiftly and are running a thorough investigation.”

And it said it was contacting people as a result of this.

“Our main concern is for the safety and security of our community,” the spokesperson told Silicon UK. “At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue.”

“As always, we encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails,” the spokesperson said.

It seems that a bug in the Instagram API made it possible for someone to obtain a set of code, which potentially contained the email addresses and phone numbers for Instagram accounts.

Apparently one individual who found the bug, has used it to access information for some accounts.

Past Scares

Instagram has had a number of security scares in recent years.

In June ESET researchers warned that Russian hackers behind the Turla trojan package had started using Instagram as a means of staying hidden once they have infected a target network.

And last August security firm ZeroFOX warned a huge number of financial scams were targeting Instagram account holders. Symantec had also warned that hacked Instagram profiles were being altered with pornographic imagery promoting adult dating and porn spam.

All those happened despite Instagram already being under pressure to ramp up its security following a number of high-profile incidents in 2015, including one where the account of pop star Taylor Swift was hijacked by Lizard Squad hackers.

In February 2016 the photo-sharing service added two-factor authentication (2FA) to its service, which meant users could choose to have two forms of identification verified before accessing their account. Instagram was acquired by Facebook back in 2012.

Quiz: Are you a security pro?