The personal information of over 6 million Instagram users has been stolen by hackers and their details are now being sold on the Dark Web for $10 a pop.
According to both Instagram and the hackers themselves, the information was obtained through a bug in Instagram’s programming, which was quickly fixed when the leak was made public.
Instagram’s statement responding to the hack assured users that: “No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation,” also adding that “we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue.”
Suspicions over Instagram’s security were sparked earlier last week when Selena Gomez’s account was hijacked by hackers who posted nude photos of her ex-boyfriend, Justin Bieber, for the world to see.
Unfortunately, Instagram’s early assumption that the leak only targeted ‘high-profile users’ was quickly proven false. One of the hackers told US news website, The Daily Beast, “Instagram clearly hasn’t yet understood the full impact of this bug.”
The full list of stolen details, including email addresses and phone numbers, has been published on a Dark Web site called ‘Doxagram’, which allows anyone to pay $10 in bitcoin to search up any name in the database of over 6 million users.
Although the attack began by scraping the details of celebrities and popular companies, it then moved on to target their followers – trickling down the chain of accounts until the bug was eventually fixed.
The celebrities leaked include Emma Watson, Leonardo DiCaprio, Emilia Clarke, Taylor Swift, Snoop Dogg, Katy Perry, David Beckham and Floyd Mayweather.
These names might grab headlines, but it is highly likely that most of the celebrities’ leaked details are simply throwaway email addresses and the phone numbers of their PR interns. The same cannot be said for the millions of ordinary instagram users whose private details are now for sale.
Cybersecurity experts RepKnight warned: “The attack just goes to show the growing threat of the Dark Web. If you’ve been hacked and someone’s posted your contact details on a site that Google cannot reach, you’re highly unlikely to ever understand the severity of that hack,” adding that “everyone is at risk of the Dark Web these days — not just A-list celebrities.”
Instagram users should be especially careful not to post any identifying details on their accounts and, where possible, change their linked email address and phone number.