Instagram hack not confined to verified account holders

Last week we reported that hackers had managed to gain access to the contact numbers and email addresses (but not passwords) of a number of high-profile users on Instagram via a bug in the app’s API (Application Programming Interface) used to communicate with other apps.

At the time, Instagram said the hack was limited to holders of verified accounts, but according to The Verge, it appears the hack has actually affected a far greater number of users, including non-verified account holders, although Instagram is refusing to confirm how many. In a blog post, Instagram co-founder and CTO Mike Kreiger said: “Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.”

According to The Verge report, there are more than 700m active Instagram accounts, and hackers say they have information on file for 6m users.

Having obtained the information, the hackers then started trying to sell it via a searchable database called Doxagram. This listed 1,000 accounts, charging users $10 for each search for Instagram users’ contact information. The list included most of the 50 most-followed Instagram accounts on the service.

Doxagram is now offline, though in a horse-bolted-stable-door-closed attempt to limit the damage, Instagram has since registered a variety of Doxagram domains, including doxagram.christmas, doxagram.hiphop and doxagram.mom, according to Domainwire.

Despite this, cybersecurity firm RepKnight says it has found what purport to be contact information for celebrities including Emma Watson, Zac Efron, Leonardo DiCaprio, Harry Styles, Ellie Goulding, Victoria Beckham, Beyoncé, Floyd Mayweather, Neymar and David Beckham.