Data from 14 million Instagram accounts has been kept in an insecure database that could be accessed by adversaries and turn users vulnerable to cyber attacks.
Data include users’ profile names, stored links to profile pictures and their Instagram ID is available in the database.
The expert Oliver Hough found data on the Shodan web scanning service.
Data is available in an Elastic server, physically located in the U.K., and includes 14,526,602 entries.
According to a screenshot posted by Oliver in its Twitter account Friday, some entries have also empty fields for home addresses and telephone numbers.
someone is indexing @instagram users
lots of them: 14,526,602 entries
The interesting part is the entries have empty fields for home address and telephone number. pic.twitter.com/QX0f3tPYjh
— Oliver Hough ❄ (@olihough86) February 8, 2019
At this moment, is not clear who is the author this leak. Nonetheless, Oliver suggested a third party could be scraping Instagram and storing public data for analysis later, either for targeted marketing or another purpose.
This leak must be considered critical as the information can be combined with databases of stolen passwords (credential stuffing), and adversaries can use that to compromise and “hack” victims’ accounts.
“On the black hat side of things, well, it’s 14 million valid usernames,” he said. “Combine that with large password lists and I’m sure it would be a fun day.”
As can be seen from the Kibana web interface, entries were created in the Elastic Search from May 2016 until 01 October 2018.
According to Segurança Informática, data from some Portuguese users were also exposed online.
At this moment, the elastic search cluster and Kibana are also online and anyone can access users’ data.
Instagram did not respond to multiple requests for comment.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.