Instagram – a Facebook company – had a massive data leak of
50 million of some of its most influential celebrity Instagrammers in December
As the data was leaked by a third-party, Instagram did not
need to report it.
Anurag Sen posted his discovery to his Twitter Account and reported the matter to TechCrunch. The leak was traced back to an unprotected Amazon Web Services cloud owned by Mumbai-based social media marketing firm Chtrbox.
Chtrbox pays influencers to post sponsored content on their
accounts. Its records contain data that calculates the worth of each account,
based off the number of followers, engagement, reach, likes and shares they have.
This is a metric to determine how much the company pays an Instagram celebrity
or influencer to post an ad.
The data scraped from influencer Instagram accounts, includes
their bio, profile picture, the number of followers, if they’re verified and
their location by city and country. It also contains their private contact
information, such as the Instagram account owner’s email address and phone
How did Chtrbox scrape the Instagram data?
Poorly written and insecure Instagram APIs (from parent company
with poorly written APIs – Facebook) allow developers and hackers to scrape
data. In one case, a hacker obtained six million account details.
Is it ethical?
Instagram, like Facebook, exposes its data to developers and others in the same way, Facebook exposed 50 million users to Cambridge Analytica.
that the only way it can monetise its activities is to sell data to its ‘partners’.
That business practice is not ethical in so far as it will not pass the ‘pub-test’.
Conversely, it is not breaking the law – at present, there is no overarching legislation
to stop it.
The database is now offline. Chtrbox says the exposed data
wasn’t private, and personal data wasn’t sourced through ‘unethical means.’ The
database was exposed for 72 hours, the company said.
Facebook (parent) has had so many scandals we could devote many Facebook pages to it. Its children, WhatsApp and Instagram, under the same governance don’t have sterling privacy records either.
You can read the extensive list of Facebook acquisitions here.
Instagram responds (24 May 11.15AM)
“We take any allegation of data misuse seriously. Following an initial investigation into the claims made in this story, we found that no private emails or phone numbers of Instagram users were accessed. Chtrbox’s database had publicly available information from many sources, one of which was Instagram.”