An unsecured database containing the private contact information for nearly 50 million Instagram influencers, including those of celebrities and official brand accounts, has been found online by a security researcher this week.
Database Exposed Email, Phone Numbers for Close to 50 Million Influencers
This afternoon, TechCrunch revealed that security researcher Anurag Sen had discovered an online database containing the private phone numbers and email addresses of almost 50 million Instagram influencers--including those of celebrities and official brand accounts. The database, hosted on an Amazon Web Services (AWS) server, didn't have any password protection on the data, leaving it completely open for anyone to access.
Having discovered the database, Sen reached out to TechCrunch for help trying to track down the owner of the database so it could at least be secured if nothing else. TechCrunch traced the database to Chtrbox, a Mumbai-based social media marketing company that pays influencers to post their clients' sponsored content on their accounts.
The database contained publicly available information found on Instagram, such as names, pictures, and number of followers, but it also had details on the accounts that aren't made public by Instagram, like the phone number and email address used to setup the account. The database also contains information about the accounts that appear to be proprietary work product of Chtrbox's, such as the "worth" of the Instagram influencer--calculated using the number of followers, the number of shares and favorites, and other metrics--that appears to indicate how much Chtrbox should pay to have the influencer to push their clients' sponsored content.
TechCrunch reviewed the database entries and reached out to several of the influencers at random and asked if the phone numbers and email addresses in the database were theirs. Two responded to the inquiries and verified that the email addresses and phone numbers were the ones they had used to set up their accounts, and both said that they were not involved with Chtrbox at all, raising questions about how the phone numbers and email addresses were obtained.
The database was taken off the AWS server shortly after TechCrunch reached out to Chtrbox, and the founder and CEO of the firm, Pranay Swarup, did not respond to TechCrunch's questions about the database or how the company obtained the information it contained.
Web-scraping is a common data collection technique that can gather a massive amount of data very quickly from publicly available , but its use to collect data from social media accounts in recent years has become a controversial issue after Cambridge Analytica was able to scrape data from tens of millions of Facebook users in its political campaign consulting work. Facebook, which owns Instagram, told TechCrunch that “We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources," the company said. "We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available."