Instagram CTO Confirms Security Flaw Has Leaked Millions Of Account Details

Instagram has confirmed an API flaw exposed the personal information of millions of its users – not just verified accounts as was first reported.

Last week it emerged the telephone numbers and email addresses of ‘high-profile Instagram users’ had been exposed, but thankfully no passwords.

The photo-sharing app did not name the celebrities whose details have been compromised, but it did say it is conducting a ‘thorough investigation’ into the matter and was contacting those involved.

Instagram security

However it is now telling normal users that their details could also have been compromised.

“We care deeply about the safety and security of the Instagram community, so we want to let you know that we recently discovered a bug on Instagram that could be used to access some people’s email address and phone number even if they were not public,” said Mike Krieger, Instagram CTO. “No passwords or other Instagram activity was revealed.

“We quickly fixed the bug, and have been working with law enforcement on the matter. Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.”

Krieger said users should be “vigilant” about the security of their account and be cautious if they see anything suspicious such as unrecognised calls, texts or emails. These could be used to stage phishing scams or social engineering. Additionally, it requests that any unusual activity is reported.

“Protecting the community has been important at Instagram from day one, and we’re constantly working to make Instagram a safer place. We are very sorry this happened,” added Kreiger.

Loading ...

Past incidents

Instagram has had a number of security scares in recent years.

In June ESET researchers warned that Russian hackers behind the Turla trojan package had started using Instagram as a means of staying hidden once they have infected a target network.

And last August security firm ZeroFOX warned a huge number of financial scamswere targeting Instagram account holders. Symantec had also warned that hacked Instagram profiles were being altered with pornographic imagery promoting adult dating and porn spam.

All those happened despite Instagram already being under pressure to ramp up its security following a number of high-profile incidents in 2015, including one where the account of pop star Taylor Swift was hijacked by Lizard Squad hackers.

In February 2016 the photo-sharing service added two-factor authentication (2FA) to its service, which meant users could choose to have two forms of identification verified before accessing their account. Instagram was acquired by Facebook back in 2012.

Quiz: What do you know about cyber security in 2017?

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

9 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

11 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

12 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

13 hours ago