A bug that exposed users’ contact information affected a far greater number of accounts than Instagram originally said. The bug, which appears to have been responsible for Selena Gomez’s account being hacked this week, allowed hackers to scrape email addresses and contact information for millions of accounts, Instagram said today. (It has since been fixed.) While the company first said the hack was limited to holders of verified accounts, it said today that non-verified users had been affected as well.
Hours after the hack was disclosed, hackers established a searchable database named Doxagram allowing users to search for victims’ contact information for $10 per search. The hacker provided a list of 1,000 accounts they said were available for searching on Doxagram to the Daily Beast, and the list included most of the 50 most-followed accounts on the service. Instagram still will not say how many accounts were affected, other than that it is a “low percentage of Instagram accounts.” There are more than 700 million active Instagram accounts; hackers say they have information on file for 6 million users. Users’ passwords were not exposed in the hack, Instagram said.
“We are very sorry this happened.”
As of 5:50 p.m. Friday, Doxagram was offline. It was unclear how or when it might come back. Instagram would not comment on whether it had sought to have the site shut down.
But even with the site shut down, contact information for dozens of celebrities now appears to be floating around on the dark web. A cybersecurity firm named RepKnight said it found what purported to be contact information for celebrities including:
- Actors: Emma Watson, Emilia Clarke, Zac Efron, Leonardo DiCaprio, Channing Tatum.
- Musicians: Harry Styles, Ellie Goulding, Victoria Beckham, Beyoncé, Lady Gaga and Rihanna, Taylor Swift, Katy Perry, Adele, Snoop Dogg, Britney Spears.
- Athletes: Floyd Mayweather, Zinedine Zidane, Neymar, David Beckham, Ronaldinho.
For celebrities and other high-profile users, the hack could mean having to change a phone number, email address, or both. But it can also be used along with social engineering techniques to gain access to the account itself. That seems to be what happened to Gomez, Instagram’s most-followed user. Her account was briefly taken down Monday after it was used to post nude photographs of Justin Bieber, her ex-boyfriend.
Today’s news is troubling on at least two fronts. One, average Instagram users may be at risk of hacking. Two, Instagram says it does not know which accounts were affected. “After additional analysis, we have determined that this issue potentially impacted some non-verified accounts as well,” Instagram co-founder and chief technical officer Mike Krieger said in a blog post. “Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.”
The company also said it is “working with law enforcement” to combat the sale of stolen information. “We encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails,” Krieger said. “The safety and security of our community are important to us, and we are very sorry this happened.”
Update, 6:08 p.m. Updated with information about celebrities that appear to have been affected by the hack.