Instagram CTO Confirms Security Flaw Has Leaked Millions Of Account Details

Instagram has confirmed an API flaw exposed the personal information of millions of its users – not just verified accounts as was first reported.

Last week it emerged the telephone numbers and email addresses of ‘high-profile Instagram users’ had been exposed, but thankfully no passwords.

The photo-sharing app did not name the celebrities whose details have been compromised, but it did say it is conducting a ‘thorough investigation’ into the matter and was contacting those involved.

Instagram security

However it is now telling normal users that their details could also have been compromised.

“We care deeply about the safety and security of the Instagram community, so we want to let you know that we recently discovered a bug on Instagram that could be used to access some people’s email address and phone number even if they were not public,” said Mike Krieger, Instagram CTO. “No passwords or other Instagram activity was revealed.

“We quickly fixed the bug, and have been working with law enforcement on the matter. Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.”

Krieger said users should be “vigilant” about the security of their account and be cautious if they see anything suspicious such as unrecognised calls, texts or emails. These could be used to stage phishing scams or social engineering. Additionally, it requests that any unusual activity is reported.

“Protecting the community has been important at Instagram from day one, and we’re constantly working to make Instagram a safer place. We are very sorry this happened,” added Kreiger.

Loading ...

Past incidents

Instagram has had a number of security scares in recent years.

In June ESET researchers warned that Russian hackers behind the Turla trojan package had started using Instagram as a means of staying hidden once they have infected a target network.

And last August security firm ZeroFOX warned a huge number of financial scamswere targeting Instagram account holders. Symantec had also warned that hacked Instagram profiles were being altered with pornographic imagery promoting adult dating and porn spam.

All those happened despite Instagram already being under pressure to ramp up its security following a number of high-profile incidents in 2015, including one where the account of pop star Taylor Swift was hijacked by Lizard Squad hackers.

In February 2016 the photo-sharing service added two-factor authentication (2FA) to its service, which meant users could choose to have two forms of identification verified before accessing their account. Instagram was acquired by Facebook back in 2012.

Quiz: What do you know about cyber security in 2017?

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago