Instagram website leaked phone numbers and emails for months, researcher says

The flaw made the information easy to scrape and turn into a database.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

The exposure appeared to include contact information for thousands of accounts. 

Graphic by Pixabay/Illustration by CNET

Instagram's website leaked user contact information, including phone numbers and email addresses, over a period of at least four months, a researcher says.

The source code for some Instagram user profiles included the account holder's contact information whenever it loaded in a web browser, says David Stier, a data scientist and business consultant, who notified Instagram shortly after he discovered the problem earlier this year. The contact information wasn't displayed on the account holder's profiles on the desktop version of the Instagram website, although it was used by the photo sharing site's app for communication. It isn't clear why the information was included in the website's source code.

The exposure appeared to include contact information for thousands of accounts, which belonged to private individuals -- some of whom were minors -- along with businesses and brands, Stier said. Including the information in the source code could let hackers scrape the data from the Instagram website, allowing them to assemble a virtual phone book that lists the contact details of thousands of Instagram users.

Such a directory may have been created. On Monday, a report revealed that a marketing company in India, Chtrbox, had obtained contact information for millions of Instagram accounts and stored it on an unsecured database. It's unclear how that database was created, but scraping data from Instagram is against the company's terms of use. 

In a statement, Instagram spokeswoman Stephanie Otway said the data Stier found in the website's source code was not private.

"The contact information discovered in this case is not private contact information, but contact information a member of the Instagram community chose to share when converting their profile to a Business Profile," Otway said. "During the setup process for Business Profiles we display this information, remind people that it will be accessible to others, and allow them to update or remove the information."

The statement didn't address the risk that the data could be scraped from the website source code.

Instagram also said the contact information in the Chtrbox database was not private. However, the company said Chtrbox did access some of the contact information from users' profiles in violation of Instagram policies, leading Instagram to revoke Chtrbox's access to its platform. 

In a statement, Chtrbox said it didn't source the information through unethical means.

Stier said he found evidence that the phone numbers and emails had been in the source code since at least October by looking at archived versions of Instagram profiles. He reported the problem to Instagram in February and the problem was fixed in March, he said.

The exposure is an example of how easy it is to find sensitive information on the web. Programming errors can expose information that people with basic skills can find and abuse. For example, Google revealed Tuesday it'd been storing some business customers' passwords in plain text, an insecure practice that sidesteps industry-standard protections. These slip-ups can help hackers amass valuable information on web users, putting them at risk of fraud and identity theft, experts say.

The contact information is still available on the Instagram app, which displays users' email addresses and phone numbers if they have opted into letting others contact them through the app. While that design isn't ideal, it's more secure than including contact information in the source code for a website, says Jason Hong, a computer science professor at Carnegie Mellon University who researches app security and privacy.

"Scraping data from a website is relatively easy," Hong said. "Scraping data from a running app is possible but rather hard."

You might think criminals couldn't do much damage if all they had was your email address or phone number. But identity thieves still amass that data with the goal of combining it with other information gleaned from exposures and hacking attacks. For example, security expert Troy Hunt wrote in January that he'd discovered a cache of 773 million passwords composed of data taken from several different data breaches.

Criminals piece together as much identifying information as possible to defeat fraud detection measures and successfully pose as someone else, said Charity Lacey, vice president of communications for the Identity Theft Resource Center.

"Thieves are aggregating that data and creating more robust profiles in order to defeat the system," Lacey said.

Originally published May 22.
Update, May 23: Adds statement from Instagram.