X

Instagram influencer data taken offline after exposure

It's the latest sensitive database left open on the internet.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read
A phone displaying the Instagram logo rests on the keyboard of a laptop.

Account data for 49 million Instagram users has been exposed online. 

Getty Images

Instagram influencers make their lives public. Now an exposed database appears to have added to the information available about them.

Account data for 49 million Instagram users, including influencers and brand accounts, was exposed online, according to a report by TechCrunch. The records, which an independent researcher found had been publicly viewable since at least May 14, included public data that seemed to be scraped from Instagram users' profiles, as well as personal data like phone numbers and email addresses.

The database belonged to Chtrbox, an Indian marketing company that links influencers to brands that want to advertise their wares. Instagram investigated the data exposure and found that some of the data was obtained in a way that violated its Terms of Use. Instagram has revoked Chtrbox's access to its platform.

Independent cybersecurity researcher Anurag Sen found the data on the Shodan search engine, which indexes internet connected devices and servers. Sen said the database is no longer visible to the public. It's one more exposure of an inadequately secured cloud database -- a problem that's grown bigger as more and more companies put sensitive data on cloud servers without the expertise needed to lock the data down. Researchers around the world search for exposed databases and try to get companies to secure them, such as a cache of demographic information on 80 million US households removed in April.

Chtrbox said in a statement that the database was exposed for 72 hours, and the data wasn't private. "This database did not include any sensitive personal data and only contained information available from the public domain, or self reported by influencers," the company said.

The data is for internal use only, and isn't sold, Chtrbox said in its statement, adding that the data doesn't come from hackers or data breaches. The company didn't respond to a follow-up question on whether it scrapes public data from Instagram accounts.

"We take any allegation of data misuse seriously," an Instagram spokeswoman said in a statement. "We found that no private emails or phone numbers of Instagram users were accessed. Chtrbox's database had publicly available information from many sources, one of which was Instagram."

In a further statement on Twitter, Chtrbox said it's never had data on more than 350,000 Instagram influencers, which is far fewer than the millions of records reportedly found in the exposed database. The company didn't directly address the fact that Instagram revoked its access to the platform. In a statement responding to Instagram's findings, the company said, "We have always strived to respect our users' privacy, and analyze influencer public data with the goal to make our influencer marketing campaigns data-driven and intelligent."

It's not the first time Instagram accounts have leaked information on high-profile users. In 2017, hackers took advantage of a software bug in the photo sharing app to find phone numbers and contact information for celebrity users.

Mark Risher, head of account security at Google , said celebrity Instagram users might be at risk if hackers got their hands on their email addresses. He recommended Gmail users check their security settings through the Google Security Checkup and also set up extra login protections including prompts and the Advanced Protection Program.

"Given the high-profile nature of some of these accounts, attackers may try to break into the email accounts as a means to impersonate the legitimate account holder," Risher said.

Originally published May 20, 1:24 p.m. PT.
Updates, 1:45 p.m.: Adds comment from Instagram; 4:15 p.m.: Adds comment from Google's Mark Risher; May 21, 11:17 p.m.: Adds comment from Chtrbox; 2:27 p.m.: Adds details on Sen's findings; May 23, 3:04 p.m.: Clarifies that personal email and phone information exposed wasn't private, per Instagram's findings, adds Instagram statement on investigation; 3:44 p.m.: Adds that Instagram revoked Chtrbox's access to its platform; May 24, 11:20 a.m.: Adds comment from Chtrbox in response to Instagram's findings.