An Instagram hack hit millions of accounts, and victims’ phone numbers are now for sale

A bug that exposed users’ contact information affected a far greater number of accounts than Instagram originally said. The bug, which appears to have been responsible for Selena Gomez’s account being hacked this week, allowed hackers to scrape email addresses and contact information for millions of accounts, Instagram said today. (It has since been fixed.) While the company first said the hack was limited to holders of verified accounts, it said today that non-verified users had been affected as well.

Hours after the hack was disclosed, hackers established a searchable database named Doxagram allowing users to search for victims’ contact information for $10 per search. The hacker provided a list of 1,000 accounts they said were available for searching on Doxagram to the Daily Beast, and the list included most of the 50 most-followed accounts on the service. Instagram still will not say how many accounts were affected, other than that it is a “low percentage of Instagram accounts.” There are more than 700 million active Instagram accounts; hackers say they have information on file for 6 million users. Users’ passwords were not exposed in the hack, Instagram said.

As of 5:50 p.m. Friday, Doxagram was offline. It was unclear how or when it might come back. Instagram would not comment on whether it had sought to have the site shut down.

But even with the site shut down, contact information for dozens of celebrities now appears to be floating around on the dark web. A cybersecurity firm named RepKnight said it found what purported to be contact information for celebrities including:

For celebrities and other high-profile users, the hack could mean having to change a phone number, email address, or both. But it can also be used along with social engineering techniques to gain access to the account itself. That seems to be what happened to Gomez, Instagram’s most-followed user. Her account was briefly taken down Monday after it was used to post nude photographs of Justin Bieber, her ex-boyfriend.

Today’s news is troubling on at least two fronts. One, average Instagram users may be at risk of hacking. Two, Instagram says it does not know which accounts were affected. “After additional analysis, we have determined that this issue potentially impacted some non-verified accounts as well,” Instagram co-founder and chief technical officer Mike Krieger said in a blog post. “Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.”

The company also said it is “working with law enforcement” to combat the sale of stolen information. “We encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails,” Krieger said. “The safety and security of our community are important to us, and we are very sorry this happened.”

Update, 6:08 p.m. Updated with information about celebrities that appear to have been affected by the hack.

Comments

I literally just added my phone number, in order to make it more secure

Why is that?

Probably because phone providers can easily be social engineered into providing information.

Yeah. Much better to use a 2-factor code generator.

There are innumerable accounts of how at&t/vzw/sprint etc. call centers were socially engineered to take control of people’s phones – people who specifically had decent value in bitcoin savings on certain exchanges…

I need to reevaluate my security measures…

It’s overall more secure than nothing. It may be vulnerable if you are target of specific attacks, but if you’re not specifically targeted it provides added security.

https://carpeaqua.com/2017/07/07/hack-the-planet/

All it takes a dumb phone company employee, of which I’m sure there are many.

It’s what I said, if someone targets you, it’s not a defense, but it does guard against blanket attacks.

Yeah Roman Atwood’s account appeared to be hacked earlier this week as well. Looks like Roman has regained control and deleted the pictures the hacker posted.

Also, will Instagram clarify if 2FA accounts were hit or not?

What would be the point of phoning these celebrities? Do they think DiCaprio doesn’t have caller ID? And if he did happen to pick it up, then what? Do you say, "Hey, I paid an exorbitant amount of money to some hackers who broke into your Instagram account to get your phone number. Fancy a chat over some coffee sometime?" Of course the more likely scenario is that all of these celebrities’ assistants have already changed the numbers, thereby already having foiled these hackers’ plans by using the mystical powers of halfway-decent cellular customer service.

"I talked to ________."

That’s it, that’s all. Bragging rights.

Years ago I believe it was Paris Hilton had her sidekick hacked. Vin Deisel was one of the people that had his number exposed. I was on some forums right as it happened and I thought , screw it , let’s call him. He picked up shockingly and was super nice and after a brief exchange was like ‘how’d you get this number’ I told him and he just said ‘fuck , guess I’m getting a new number and turning my phone off until then. Thanks’. In retrospect it was juvenile but oh well.

"$10"
"exorbitant"

per search

Someone tried to access my instagram a few days ago too, but a few minutes later I got message from instagram to change my password since a new device in California (I’m on another country) was trying to login, here’s the twist: I’m not famous.

HA! Jokes on them! My phone number has been for sale by the phone companies to telemarketers for YEARS!

This comment though

With so many companies getting hacked of late and malware dumped on servers to collect even more data YOU WOULD HAVE THOUGHT INSTAGRAM WOULD HAVE TAKEN THE NECESSARY STEPS TO AVOID GETTING HACKED, being that it is so popular.

We can not trust these companies anymore since they are very self-serving and only give a shit about their bottom line and not their customers. Now I will delete my account and move on since social media is fucking the world up. Ever notice no one talks to anyone anymore but rather has to text the person even if they are stand beside each other.

Agree wholeheartedly!

View All Comments
Back to top ↑