Instagram – a Facebook company – had a massive data leak of 50 million of some of its most influential celebrity Instagrammers in December 2018.
As the data was leaked by a third-party, Instagram did not need to report it.
Anurag Sen posted his discovery to his Twitter Account and reported the matter to TechCrunch. The leak was traced back to an unprotected Amazon Web Services cloud owned by Mumbai-based social media marketing firm Chtrbox.
Chtrbox pays influencers to post sponsored content on their accounts. Its records contain data that calculates the worth of each account, based off the number of followers, engagement, reach, likes and shares they have. This is a metric to determine how much the company pays an Instagram celebrity or influencer to post an ad.
The data scraped from influencer Instagram accounts, includes their bio, profile picture, the number of followers, if they’re verified and their location by city and country. It also contains their private contact information, such as the Instagram account owner’s email address and phone number.
How did Chtrbox scrape the Instagram data?
Poorly written and insecure Instagram APIs (from parent company with poorly written APIs – Facebook) allow developers and hackers to scrape data. In one case, a hacker obtained six million account details.
Is it ethical?
Instagram, like Facebook, exposes its data to developers and others in the same way, Facebook exposed 50 million users to Cambridge Analytica.
Facebook feels that the only way it can monetise its activities is to sell data to its ‘partners’. That business practice is not ethical in so far as it will not pass the ‘pub-test’. Conversely, it is not breaking the law – at present, there is no overarching legislation to stop it.
The database is now offline. Chtrbox says the exposed data wasn’t private, and personal data wasn’t sourced through ‘unethical means.’ The database was exposed for 72 hours, the company said.
Facebook (parent) has had so many scandals we could devote many Facebook pages to it. Its children, WhatsApp and Instagram, under the same governance don’t have sterling privacy records either.
You can read the extensive list of Facebook acquisitions here.
Instagram responds (24 May 11.15AM)
“We take any allegation of data misuse seriously. Following an initial investigation into the claims made in this story, we found that no private emails or phone numbers of Instagram users were accessed. Chtrbox’s database had publicly available information from many sources, one of which was Instagram.”