How the leak happened and how to protect your account from hackers.
Hackers claim they have contact details of up to six million Instagram users after a bug in the social media platform made profiles’ account information publicly accessible.
The flaw, which exposed the email addresses and phone numbers of both private and public accounts, was subsequently exploited by hackers, who were able to harvest the data into a dark web database, where contact details were being sold.
While the vulnerability was initially thought to have only affected a small number of A-list celebrity accounts, including singers Selena Gomez, Taylor Swift and Harry Styles, The Daily Beast reported that hackers claimed to have the contact details of as many as six million users.
That claim has not yet been substantiated, but a sample of 1,000 accounts was supplied to The Daily Beast, each containing an email address, phone number, or both. The hackers, who remain unidentified, hosted the database on a dedicated site, allowing users to search for contact information for a US$10 fee.
Responding to the leak, Facebook-owned Instagram said it was working with law enforcement, adding that the bug was now fixed and that no passwords were stolen.
“We encourage you to be vigilant about the security of your account, and exercise caution if you observe any suspicious activity such as unrecognised incoming calls, texts, or emails,” Instagram's co-founder and chief technology officer, Mike Krieger, said in a statement.
“Protecting the community has been important at Instagram from day one, and we're constantly working to make Instagram a safer place. We are very sorry this has happened.”
Although Facebook is working to take down the domains used by the hackers, the database was still up and running at the time of writing, and is even operating a dedicated Twitter account.
Researchers at Kaspersky, who apparently discovered the flaw and reported it to Facebook, told Hacker News that the problem lay with Instagram's mobile application programming interface (API), and its password reset function. It was discovered that a user could request a new password on an account and intercept the details sent in response.
As well as changing passwords, the company has urged users to turn on two-factor authentication, which is available on their Instagram accounts.
How to protect your Instagram account from hackers
Following the leak, Instagram advised users to be on the look out for any suspicious calls or emails. Any unusual activity on the app should also be reported using Instagram's built-in reporting tools.
Go to your profile, menu, 'Report a Problem' and then 'Spam or Abuse'. Instagram additionally has a page full of advice about what to do you think you've been hacked.
It also suggests enabling on two-factor authentication on their accounts for added protection.
To turn on two-factor authentication on Instagram:
- Go to Settings tab from your profile
- Select “two-factor authentication”
- Tap “require security code”
- Add a phone number to your account.
Once enabled, each time you attempt to log into your account, the phone number you have added will be sent a one-time code for you to enter.