Private contact data for millions of Instagram influencers exposed online

Josh Peachey's picture

A database containing the contact details of at least 49 million Instagram influencers was left exposed and without a password, allowing anyone to view it. 

Hosted by Amazon Web Services, the database contained Influencer's private contact information, such as the Instagram account owner’s email address and phone number.

It also held public data scraped from influencer Instagram accounts, including their bio, profile picture, number of followers, if they’re verified and their location by city and country.

After being alerted by Anurag Sen, a security researcher who wanted to get the database secured, TechCrunch traced it back to Chtrbox, a Mumbai-based social media marketing firm. 

Chtrbox pays influencers to post sponsored content on their accounts and the database helped the firm to calculate the worth of each influencer, based on the number of followers, engagement, reach, likes and shares they had. 

TechCrunch found several high-profile influencers in the exposed database, including prominent food bloggers, celebrities and other social media influencers. 

They contact several people from the database at random and two influencers confirmed the email address and phone number found in the database, were the ones used to set up their Instagram accounts, but denied any involvement with Chtrbox. 

Chtrbox took the database offline shortly after TechCrunch reached out and their CEO, Pranay Swarup, did not respond to a request for comment and several questions, including how the company obtained private Instagram account email addresses and phone numbers.

Two years ago, Instagram admitted a security bug in its developer API which allowed hackers to obtain the email addresses and phone numbers of six million Instagram accounts. The hackers later sold the data for bitcoin.

Months later, Instagram — now with more than a billion users — choked its API to limit the number of requests apps and developers can make on the platform.

Facebook, which owns Instagram, said it was looking into the matter.

“We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources,” said an updated statement. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available,” it added.