Last week, we brought you a story about a breach within Instagram, that allowed hackers to get their hands on the contact information for “high profile” accounts. Instagram is now saying that the scope of the breach has expanded to other Instagram accounts. Not necessarily just those who are verified. Instagram CTO Mike Krieger wrote the following in a blog post:
“… We recently discovered a bug on Instagram that could be used to access some people’s email address and phone number even if they were not public. No passwords or other Instagram activity was revealed. We quickly fixed the bug, and have been working with law enforcement on the matter. Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.”
One thing I mentioned last week that I thought was kind of low, was that Instagram didn’t apologize for the breach. Instead, they told people to be more vigilant and to not answer their phone if they didn’t recognize the number. Which I thought was kind of low considering the breach occurred due to a security issue with an API. That’s not the fault of Instagram users, but rather with Instagram themselves. But, Kreiger added “we are very sorry this happened”. So are they taking responsibility for this now? It kind of sounds like that.
It is estimated that the hackers compromised six million accounts and set up a website called “Doxagram” which allegedly offered access to phone numbers, email addresses or both for 1000 of the Instagram accounts, at a mere $10 a search. Some of the leaked accounts had valid contact information, while some were already public information. The site was later taken offline. It is also alleged that some of the contact information from celebrities like Emma Watson, Leonardo DiCaprio, Harry Styles and Floyd Mayweather may have been circulating on the dark web. In addition, President Donald Trump’s contact information might have been on the site as well.
Last week, I talked about how this hack seemed to expose a low risk to the accounts that were hacked. But now the thought is that the breach could allow hackers to target these accounts for social engineering attacks. For example, someone accessed Selena Gomez’s account, and posted nude photos of Justin Bieber. Which means these kinds of things could continue to happen.
But this isn’t Instagram’s only problem right now. On Friday, it was reported that staff at Instagram are willing to verify accounts for a price. Those prices range anywhere from a bottle of wine to $15,000. Which is insane. Either way, this doesn’t look good for Instagram. While I was pretty hard on Instagram for urging people to change their passwords, I think that’s the safe thing to do now. Originally, we thought it was just a matter of stealing “a few” passwords, and some contact information. But if you don’t want someone getting into your account, a change of password is going to help. Instagram does need to get it together, or people will stop using it and opt for other social media options.