Unsecured database exposed private information of millions of Instagram influencers

AppleInsider

An unsecured database thought to be owned by a Mumbai-based social media marketing firm exposed the personal information of millions of Instagram influencers, including those not affiliated with the company.

Discovered by security researcher Anurag Sen, the insecure database was hosted by Amazon Web Services without a password, allowing anyone with knowledge of its location to view private details attached to at least 49 million records, reports TechCrunch.

An investigation by the publication led back to Chtrbox, a social media marketing firm that seeks out and pays popular Instagram users for sponsored posts. The company has since removed the database that included a comprehensive list of influencers and their respective bio, location, follower count and in some cases telephone number and email address details.

The database appears to be legitimate, as the publication successfully contacted a number of account holders on the list.

Chtrbox, like other marketers in the field, uses the gathered particulars and other metrics to calculate account value, which in turn dictates prices paid for sponsored posts. How it obtained private account information is unclear, though it seems the company was indeed able to scrape data from the social networking service. Two unnamed users confirmed their phone numbers and email addresses, but noted no affiliation with the marketing firm.

It is unknown how long the records remained online before Sen's discovery.

"We're looking into the issue to understand if the data described - including email and phone numbers - was from Instagram or from other sources," Instagram owner Facebook said in a statement. "We're also inquiring with Chtrbox to understand where this data came from and how it became publicly available."

Instagram faced a similar issue in 2017 when hackers exploited a bug in the platform's developer API to obtain the phone numbers and email addresses of high-profile account holders.

chasm

The problem here is that nobody goes to jail, nor does the company face scads of civil lawsuits and massive fines for this behaviour ... which assures that it will continue.

robin huber

Since I find that “influencers” are pimps for mindless consumerism, having their privacy violated is fine with me. They need to get productive jobs. 

lkrupp

Who cares anymore? I mean really, who cares? By now we should all know that if you are on any social media your life story is an open book. And anything you post on social media can come back and bite you in the ass at any time. Your name, your email, maybe even your home address is out there, somewhere, for the picking.

apple ][

Good, I’ve always thought that an “influencer” was a really dumb thing to be. I’ve certainly never been influenced by any influencer, quite the opposite.

And anybody who is still on Facebook or any of their other companies can’t really complain about whatever happens and will continue to happen in the future.

dysamoria

Unregulated capitalism is cancer. 

22july2013

There is probably a right (or at least a law) to privacy, but there's most certainly a right to the lack of it. Nobody can force you to keep your privates private. And if Facebook wants to be the middle-man to implement people's right to publicity, that's absolutely their right. In much the same way that some people (usually professional models) like to sell their good looks. Can't stop them either. Facebook is acting like a modelling agency in this respect. Facebook is also collecting data on their models and viewing customers, but I'm sure all modelling agencies have been doing that to some extent forever.

anome

22july2013 said:

There is probably a right (or at least a law) to privacy, but there's most certainly a right to the lack of it. Nobody can force you to keep your privates private. And if Facebook wants to be the middle-man to implement people's right to publicity, that's absolutely their right. In much the same way that some people (usually professional models) like to sell their good looks. Can't stop them either. Facebook is acting like a modelling agency in this respect. Facebook is also collecting data on their models and viewing customers, but I'm sure all modelling agencies have been doing that to some extent forever.

That's valid, but there must also be a right to say where the line is. I can choose what I share and what I keep private. Admittedly some people ride a very fine line between the two, but just because someone is a model who posts risque pictures of themselves online, doesn't mean they should have pictures they'd rather keep private posted online, as well. Likewise, a glamour model doesn't necessarily want their private phone number, bank account details, or the time of their next gynecologist appointment posted online.

22july2013

anome said:

22july2013 said:

There is probably a right (or at least a law) to privacy, but there's most certainly a right to the lack of it. Nobody can force you to keep your privates private. And if Facebook wants to be the middle-man to implement people's right to publicity, that's absolutely their right. In much the same way that some people (usually professional models) like to sell their good looks. Can't stop them either. Facebook is acting like a modelling agency in this respect. Facebook is also collecting data on their models and viewing customers, but I'm sure all modelling agencies have been doing that to some extent forever.

That's valid, but there must also be a right to say where the line is. I can choose what I share and what I keep private. Admittedly some people ride a very fine line between the two, but just because someone is a model who posts risque pictures of themselves online, doesn't mean they should have pictures they'd rather keep private posted online, as well. Likewise, a glamour model doesn't necessarily want their private phone number, bank account details, or the time of their next gynecologist appointment posted online.

I'm not sure if you were suggesting that the model or Facebook needs to refrain from putting too much information about a person online. I think you were saying the former. I may agree perfectly with that but I think you realize I'm strictly talking here about people's rights. I don't think there's anything you can do legally to stop the glamour model you mention from revealing any of the details you mentioned, including bank details. You can't legally enforce intelligence and you can't legally prohibit stupidity, at least when it comes to revealing information about yourself. And you can't blame the agents of people's stupidity (e.g., Facebook) for their client's choices. Just like we don't blame lawyers for defending accused murderers.

wonkothesane

lkrupp said:

Who cares anymore? I mean really, who cares? By now we should all know that if you are on any social media your life story is an open book. And anything you post on social media can come back and bite you in the ass at any time. Your name, your email, maybe even your home address is out there, somewhere, for the picking.

I agree. Happens all the time, mostly without tangible consequences both both, affected people and those responsible.
So just Yet-Another-Breach and boring like a weather report to many I guess. 
Personally, I focus on educating people around me along your lines that “be prepared that anything you share one day will go public or end up in hands you didn’t intend to”. 

jbdragon

These things will continue to happen. Which is why you need a password manager. If you\re only Apple then Keychain is ok and free. I use LastPass. You need a nice long random password for each place you are signed up on. If the Database gets leaked at one place and they don't tell people until 6 months later, your other sites are compromised also. Turning on 2-Factor is also a big plus. A few months back someone was trying to gain access to my Apple Account. But I had 2 factor on. Not sure how they got my password, though I had used it at a few other places and it was one I've used a long time and hadn't gotten around to changing also. But a Box popped up on my iPhone asking if I wanted this new device to get access, the whole Allow/Deny box which showed a small map location which was inside China!!!!

Without 2 factor on, they would have gained access to everything. Of course I changed my Apple account passwords at that point to random 20 digit passwords. There is no hope of I ever being able to remember 1 of them let alone many of them. You really want to make sure you are using 2 factor for e-mail, because access to your email means access to your other accounts. I have it on for my bank. I have it on even for Amazon, though they are annoying. So much more than everyone else as you always have to enter the code. It will never remember your device even though you click on the check mark. So strong passwords, use 2-factor, and leave as little personal info as possible.

blah64

22july2013 said:

anome said:

22july2013 said:

There is probably a right (or at least a law) to privacy, but there's most certainly a right to the lack of it. Nobody can force you to keep your privates private. And if Facebook wants to be the middle-man to implement people's right to publicity, that's absolutely their right. In much the same way that some people (usually professional models) like to sell their good looks. Can't stop them either. Facebook is acting like a modelling agency in this respect. Facebook is also collecting data on their models and viewing customers, but I'm sure all modelling agencies have been doing that to some extent forever.

That's valid, but there must also be a right to say where the line is. I can choose what I share and what I keep private. Admittedly some people ride a very fine line between the two, but just because someone is a model who posts risque pictures of themselves online, doesn't mean they should have pictures they'd rather keep private posted online, as well. Likewise, a glamour model doesn't necessarily want their private phone number, bank account details, or the time of their next gynecologist appointment posted online.

I'm not sure if you were suggesting that the model or Facebook needs to refrain from putting too much information about a person online. I think you were saying the former. I may agree perfectly with that but I think you realize I'm strictly talking here about people's rights. I don't think there's anything you can do legally to stop the glamour model you mention from revealing any of the details you mentioned, including bank details. You can't legally enforce intelligence and you can't legally prohibit stupidity, at least when it comes to revealing information about yourself. And you can't blame the agents of people's stupidity (e.g., Facebook) for their client's choices. Just like we don't blame lawyers for defending accused murderers.

The problem that most people are forgetting is that your worst enemies from a privacy standpoint are your friends and family.  In today's world, even if YOU don't want YOUR private information being sent to facebook or other data miners, your friends or your family probably are sending everything they've entered in their contact list about you to various other companies and organizations without so much as a second thought.

How can we better manage this, moving forward as a society?  I'd love to be better connected with more friends, but as long as they insist on having their mobile devices constantly spewing data from their contact apps, I simply say No.  If I don't trust that they understand and will abide by my decision to protect my own personal data, then I don't give them anything meaningful information, and that can be stifling.