Unsecured database exposed private information of millions of Instagram influencers

Discovered by security researcher Anurag Sen, the insecure database was hosted by Amazon Web Services without a password, allowing anyone with knowledge of its location to view private details attached to at least 49 million records, reports TechCrunch.

An investigation by the publication led back to Chtrbox, a social media marketing firm that seeks out and pays popular Instagram users for sponsored posts. The company has since removed the database that included a comprehensive list of influencers and their respective bio, location, follower count and in some cases telephone number and email address details.

The database appears to be legitimate, as the publication successfully contacted a number of account holders on the list.

Chtrbox, like other marketers in the field, uses the gathered particulars and other metrics to calculate account value, which in turn dictates prices paid for sponsored posts. How it obtained private account information is unclear, though it seems the company was indeed able to scrape data from the social networking service. Two unnamed users confirmed their phone numbers and email addresses, but noted no affiliation with the marketing firm.

It is unknown how long the records remained online before Sen's discovery.

"We're looking into the issue to understand if the data described - including email and phone numbers - was from Instagram or from other sources," Instagram owner Facebook said in a statement. "We're also inquiring with Chtrbox to understand where this data came from and how it became publicly available."

Instagram faced a similar issue in 2017 when hackers exploited a bug in the platform's developer API to obtain the phone numbers and email addresses of high-profile account holders.