SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
4 Sep 2017

Site sells Instagram users’ phone and e-mail details

At first glance, the Instagram security bug that was exploited to obtain celebrities' phone numbers and e-mail addresses appeared to be limited, possibly to a small number of celebrity accounts.

Now a database of 10,000 credentials published online Thursday night suggests the breach is much bigger. The database was provided by someone who e-mailed in response to Thursday's story, mentioned above, about the Instagram breach. 

The sender said he was able to scrape personal data belonging to 6 million users and was selling the data in a searchable website for $10 per query. The person provided a sample of 10,000 of those records. While Instagram has yet to confirm the authenticity of the sample, an analysis by security researcher Troy Hunt, maintainer of the Have I been Pwnd breach notification service, all but concludes it's legitimate. To protect potentially affected end users, experts aren't publishing the sites hosting the sale of the purported 6 million records or the sample, which was freely available when this post was going live.

"So far we've had 12 deposits totaling around $500," the site operator told early Friday morning, about six hours after the service went live. "Not a horrible start."

Of the 10,000 records in the sample, 9,911 of them include either a phone number or e-mail; 5,341 include a phone number, and 4,341 include a phone number and e-mail. The data clearly isn't thrown together. A search of several dozen user names, for instance, showed they all corresponded to real Instagram users, and those user profiles were consistent with the phone numbers associated with them. The data, for example, included user names for three users whose profiles showed they were located in Australia, Thailand, and Germany. The phone numbers accompanying those users all contained the corresponding phone number country codes.

Some of the users in the database had millions of followers. Hunt said: "My conclusion: there's nothing in here to disprove the data. It's *possible* it has been scraped together from other sources, but every indication is that it's legitimate and the vector you wrote about earlier is absolutely feasible and certainly not unprecedented."

An Instagram representative said late Thursday night that company officials are aware of the claim and are investigating it. Instagram has a reported 700 million active users per month.

The person who provided the sample said he learned of the vulnerability in an IRC discussion. He also said he's sure other people have independently exploited the bug but doubts most were able to make their attacks scale the way his did. About 12 hours after his mass exploit started, he said, Instagram plugged the underlying security hole. Contrary to initial findings by Kaspersky Lab researchers, the leaker said it was possible to exploit the Instagram bug in an automated way. That made it possible to steal data at roughly 1 million accounts per hour, which is much faster than first thought. At that rate, it would have taken almost two weeks to download the 700 million-user records, and longer to obtain the entire database.

Assuming the 6-million figure is true, and the 10,000-record sample is representative, millions of e-mail addresses and phone numbers are now available for sale, and still more account data may be in the hands of other hackers. Until the company says more, Instagram users should entertain the possibility the numbers and e-mail addresses associated with their accounts are now public. This post will be updated as new information becomes available.


Download SafeUM — communicate privately, without advertising and spam.

 

Tags:
information leaks Instagram
Source:
Ars Technica
1451
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015