Over 49m Instagram users, including influencers and celebrities, unknowingly had their personal information made public after it was stored on an unprotected database. The database, which was hosted by Amazon Web Services, was discovered by security researcher Anurag Sen, who then alerted TechCrunch.
The database contained public information gathered from Instagram accounts, including bios, profile pictures, follower counts, and location. Additionally, the database had collected private contact details including the phone number and email address associated with the Instagram account.
TechCrunch was able to trace the database back to Mumbai-based social media marketing firm Chtrbox, which pays influencers to post sponsored content. Chrtbox apparently used the databased to calculate each influencer’s worth based on follower count, engagement, reach, likes and shares. Based on those popularity metrics, the company decided how much it would pay each influencer per post.
Chtrbox has not made a comment about the database or how it gathered the personal information but has since pulled the database offline. Facebook, which owns Instagram, is continuing to look into the breach.
"We're looking into the issue to understand if the data described - including email and phone numbers - was from Instagram or from other sources. We're also inquiring with Chtrbox to understand where this data came from and how it became publicly available," said Facebook in a statement.