A security researcher found a flaw in Instagram’s website that caused thousands of users’ email addresses and phone numbers to be exposed online for several weeks, it was revealed on Thursday.
David Stier, a data scientist and business consultant, told CNET the website source code for some Instagram user profiles included the account holder’s contact information whenever it loaded in a web browser.
Although the contact information was available in Instagram’s mobile app if users chose to reveal it in their profile, it was never displayed on the desktop version of the Instagram website, so it’s unclear why the details were exposed.
The leaked contacts are said to have come from thousands of accounts belonging to private individuals, including minors, as well businesses and brands. Stier alerted Instagram to the problem shortly after discovering it in February, and the photo-focused social platform issued a patch in March.
According to Stier, including the details in the source code could have let hackers scrape the data from the website relatively easily and use it to compile a database listing the contact information of thousands of Instagram users.
A similar data haul may have already occurred. On Monday it was revealed that a database containing contact information for millions of Instagram influencers, celebrities, and brand accounts had been leaked online.
The records included public data pulled from Instagram, such as profile picture, biography, and follower numbers, but also private contact information like phone numbers and email addresses.
The database was initially uploaded and shared by Mumbai-based social media marketing firm Chtrbox, a company that pays Instagram influencers to share sponsored content. Though uploaded by Chtrbox, the database included info from influencers who have never worked with the company.
In a statement, Chtrbox said the information in its database wasn’t private and that it didn’t source the information through unethical means.
Instagram parent company Facebook said on Monday that it was investigating the Chtrbox database. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available,” said Facebook.
A similar privacy befell the social media platform in August 2017, when a bug related to an Instagram API allowed hackers to breach multiple high-profile Instagram accounts belonging to celebrities.