CNET también está disponible en español.

Ir a español

Don't show this again

HolidayBuyer's Guide
Security

Instagram flaw lets hackers sell celebrities' data at $10 a pop

Hackers set up a searchable database that allows people to find contact info for hundreds of stars, at ten bucks per query.

Taylor Swift is among the A-list celebrities whose data has leaked to the darknet due to a flaw in Instagram.

Taylor Swift is among the A-list celebrities whose data has leaked to the darknet due to a flaw in Instagram.

Taylor Swift video screenshot by CNET

All you need is ten bucks to get in touch with Taylor Swift, thanks to an Instagram data leak.

A seller on the darknet was able to harvest the email addresses and phone numbers of up to 500 celebrities by way of a bug in the popular photo-focused social network. The flaw let hackers steal a user's credentials and was patched after researchers with Kaspersky Lab warned Instagram on Tuesday.

Nevertheless, contact info for hundreds of celebrities is now for sale on the darknet via a searchable database, at $10 per query, researchers from security company RepKnight discovered. The sellers are going by the name Doxagram, a combination of Instagram and "doxxing," a term for dumping someone's private info, or documents, online.

The group is offering contact data on stars like Miley Cyrus, Beyonce, Leonardo DiCaprio, Emma Watson and boxer Floyd Mayweather. Information on as many as 500 A-list celebrities is in the database, Patrick Martin, a security analyst at RepKnight said. 

"While Instagram has now fixed the bug that led to the leak, the cat is out of the bag, and those affected will have to take extra care to maintain their privacy," Martin said.

Doxagram claims to have posted contact info for up to 6 million Instagram users in the searchable database. On a bitcoin forum, a user with the name Doxagram who was advertising the service wrote that the group offers "the only Instagram lookup service on the market" and can pull data on any Instagram account.

Instagram said it's aware of the claim and is investigating. "We take people's security very seriously and are working closely with law enforcement on this matter," the company said in a statement Friday. "We encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails." (That can be done by tapping the "..." menu in your profile and selecting "Report a Problem" and then "Spam or Abuse.")

Some listings have only email addresses, without phone numbers. On Friday morning, a person claiming to be behind Doxagram told Ars Technica the group had made $500 within six hours before the existence of the database was made public.

On Wednesday, after Instagram fixed the bug, the company said the attack was aimed at "high-profile" verified users. Instagram has since determined that the issue has affected some nonverified accounts as well. It can't determine which accounts those are, "but we believe it was a low percentage," the company said.

No passwords have been stolen, the company reiterated. Still, leaked contact data can lead to phishing attacks and privacy breaches.

The flaw was in Instagram code that went into use in 2016, according to Kaspersky Lab researchers. Kaspersky said hackers looking to exploit the flaw would have had to do it manually, as Instagram's protection prevented automated scraping. But the hackers told Ars Technica they were able to steal information from 1 million accounts an hour.

The Doxagram team didn't respond to requests for comment.

First published Sept. 1, 1:59 p.m. PT.
Updated at 3:24 p.m.: with comment from Instagram.

iHate: CNET looks at how intolerance is taking over the internet.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.