Private contact data of millions of Instagram influencers exposed publicly

An unsecured database containing the private contact information of as many as 50 million Instagram influencers, including those of celebrities and official brand accounts, has been found online by a security researcher this week. According to a report by TechCrunch, security researcher Anurag Sen found the database hosted on an Amazon Web Services (AWS) server without any password protection on the data, leaving it completely open for anyone to access. Having discovered the database, the security researcher reached out to the publication for help trying to track down the owner of the database so it could at least be secured if nothing else. TechCrunch traced the database to a Mumbai-based social media marketing company, Chtrbox, that pays influencers to post their clients’ sponsored content on their accounts. [caption id=“attachment_5322381” align=“alignnone” width=“1024”] Representational image.[/caption] Further digging revealed that the database contained publicly available information found on Instagram, such as names, pictures and the phone number of followers, but it also had details on the accounts that aren’t made public by Instagram, like phone numbers and email addresses used to set up the account. The database also contains information about the “worth” of Instagram influencers, calculated by Chtrbox taking into account the number of followers, total shares, favourites, and other metrics. This data would then help the social media marketing company gauge how much to pay to have the influencer push their clients’ sponsored content. Further reviewing the database entries, several influencers in the database were contacted at random and asked if the phone numbers and email addresses in the database were theirs. At least two influencers responded to the inquiries and verified that the email addresses and phone numbers were the ones they had used to set up their accounts, and both said that they were not involved with Chtrbox at all. This, obviously, raises further questions about how the phone numbers and email addresses were obtained by Chtrbox in the first place? The database was taken off the AWS server shortly after Chtrbox was reached out to, and the founder and CEO of the firm, Pranay Swarup, did not respond to any question questions about the database or how the company obtained the information it contained. Facebook, which owns Instagram, in a statement, said, “We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources. We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available.”