TechCruch has detailed massive database leak containing contact information of millions of Instagram influencers, celebrities and brand accounts has been found online.
The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records — but was growing by the hour.
From a brief review of the data, each record contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified and their location by city and country, but also contained their personal contact information, such as the Instagram account owner’s email address and phone number.
Security researcher Anurag Sen discovered the database and alerted TechCrunch in an effort to find the owner and get the database secured. We traced the database back to Mumbai-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts. The records contained data that calculated the worth of each account, based off the number of followers, engagement, reach, likes and shares they had. This was used as a metric to determine how much the company could pay an Instagram celebrity or influencer to post an ad.
Later in a tweet, Chtrbox disputed the number of people affected and claimed no more than 350,000 influencers were affected. Chtrbox also said database was only open for 72 hours, but the researcher confirmed the database was first detected on Shodan, a search engine for exposed databases and devices, on May 14.
The scraping effort comes two years after Instagram admitted a security bug in its developer API allowed hackers to obtain the email addresses and phone numbers of six million Instagram accounts. The hackers later sold the data for bitcoin.