Data from 14 million of Instagram profiles has been exposed in an insecure database available online.

Data from 14 million Instagram accounts has been kept in an insecure database that could be accessed by adversaries and turn users vulnerable to cyber attacks.

Data include users’ profile names, stored links to profile pictures and their Instagram ID is available in the database.

The expert Oliver Hough found data on the Shodan web scanning service.

Data is available in an Elastic server, physically located in the U.K., and includes 14,526,602 entries.



According to a screenshot posted by Oliver in its Twitter account Friday, some entries have also empty fields for home addresses and telephone numbers.

At this moment, is not clear who is the author this leak. Nonetheless, Oliver suggested a third party could be scraping Instagram and storing public data for analysis later, either for targeted marketing or another purpose.

This leak must be considered critical as the information can be combined with databases of stolen passwords (credential stuffing), and adversaries can use that to compromise and “hack” victims’ accounts.

“On the black hat side of things, well, it’s 14 million valid usernames,” he said. “Combine that with large password lists and I’m sure it would be a fun day.”


As can be seen from the Kibana web interface, entries were created in the Elastic Search from May 2016 until 01 October 2018.


According to Segurança Informática, data from some Portuguese users were also exposed online.



At this moment, the elastic search cluster and Kibana are also online and anyone can access users’ data.

Instagram did not respond to multiple requests for comment.