The database, hosted by Amazon’s web services, was exposed and without a password, allowing anyone to look inside. At the time of writing, the database had more than 49 million records, but it was growing by the hour.
From a brief review of the data, each record contained public data extracted from influencer Instagram accounts, including his biography, the profile image, the number of followers they have, if verified and their location by city and country. , but they also contain your private contact information, such as the email address and the phone number of the Instagram account owner.
Security researcher Anurag Sen discovered the database and alerted TechCrunch in an effort to find the owner and secure the database. We tracked the database to the social media marketing firm based in Mumbai Chtrbox, which pays influential people to publish sponsored content in their accounts. Each record in the database contained a record that calculated the value of each account, based on the number of followers, commitment, scope, likes, and actions they had. This was used as a metric to determine how much the company could pay a celebrity or Instagram influence to post an ad.
TechCrunch found several high profile influencers in the exposed database, including featured food bloggers, celebrities and other influential people on social media.
We contacted several random people whose information was found in the database and we provided them with their telephone numbers. Two of the people responded and confirmed that their email address and the telephone number found in the database were used to set up their Instagram accounts. Neither of them had any relationship with Chtrbox, they said.
Shortly after arriving, Chtrbox disconnected the database. Pranay Swarup, the founder and CEO of the company, did not respond to a request for comments or to several questions, including how the company obtained email addresses and phone numbers from Instagram accounts.
The scraping effort comes two years after Instagram admitted a security flaw in its developer API that allowed hackers to obtain the email addresses and phone numbers of six million Instagram accounts. The hackers then sold the data for bitcoin.
Months later, Instagram, now with more than a billion users, has stifled its API to limit the number of requests that developers and applications can make on the platform.
Facebook, which owns Instagram, said it was investigating the matter.
“We are investigating the problem to understand if the data described, including phone numbers and email, were from Instagram or other sources,” said an updated statement. “We are also asking Chtrbox to understand where these data came from and how they were made available to the public,” he added.