Popular social media website Instagram has roughly 700 million users. According to several reports, a vulnerability on the website allowed hackers to steal users’ private data, including phone numbers and email addresses. At least one group of hackers exploited the bug and stole as many as 6 million user credentials before researchers at Kaspersky Labs informed Instagram, which then fixed the bug.
The hackers who got a hold of users’ information are now selling it on the dark web for $10, or about 0.002194 BTC at press time, per query. The hackers are going by the name “Doxagram”, a combination of the term “doxing” and photo-focused social network’s name, Instagram.
Instagram’s vulnerability, according to a security researcher from Kaspersky Labs who also found it, was in its API. Specifically, its password reset option allowed hackers to access exposed phone numbers and email addresses in the JSON response – no passwords were shown. Initially, it was believed that data could only be manually extracted, but the hackers stated they managed to automate the process.
The group, according to researchers, is offering contact information on A-list celebrities and other “high profile” individuals, as well as on a few unverified users. The list of celebrities whose phone number and email address can be purchased for 0.002194 BTC includes Miley Cyrus, Beyoncé, Taylor Swift, and boxer Floyd Mayweather.
Doxagram even created an account on popular Bitcoin forum Bitcointalk, just so they could advertise their new service. The post states:
“We offer the only Instagram lookup service on the market, we can pull information on ANY Instagram account for you instantly!.”
Instagram is reportedly aware of the post and is investigating the case. It stated that it takes people’s security very seriously and, as such, is working with law enforcement on the case. Moreover, it added that it encourages people to “exercise caution if they encounter any suspicious activity”, including incoming texts and emails, as these can be phishing attempts.
A 10,000-user sample
Doxagram showed Ars Technica a 10,000-contact sample to prove they were serious. The sample revealed that not all contacts include the user’s phone number and email address. According to Ars Technica, out of the 10,000 given only 4,341 include a phone number and email address. Along with Troy Hunt, maintainer of the Have I been Pwned website, Ars Technica concluded that the attack was legitimate. The sample was reportedly available on the deep web. O
On the Bitcontalk forum, various users showed interest in using the service. To help them purchase, the admin behind the Doxagram account stated that after registering users could check if the details they’re looking for are in the database before making a purchase. Further, Doxagram told the website that they were being successful selling people’s data, as they made a total of $500 in the first six hours, out of only 12 deposits.