Hackers Exploit Instagram API Flaw to Steal Information from Verified Users

Instagram HackHigh profile users of the popular social media platform Instagram were alerted late August after the company discovered that hackers had gained access to specific users’ contact information. Instagram confirmed that the hackers managed to obtain email addresses and phone numbers of some prominent users by exploiting a bug in the app’s API. On August 31, it was reported that the hackers actually collected the stolen information and created a searchable database dubbed “Doxagram”. Currently, they are charging US $10 per search.

In response to the API exploit, Instagram did not confirm the number or specific accounts that were affected. According to reports, only high profile users were targeted. It is possible that the hackers wanted to abuse the channels with the most followers for some kind of stunt—just this past week we’ve already seen one such hack. In a statement, the company emphasized that “no account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.”

Although Instagram maintains that user passwords were not compromised, this doesn’t negate the severity of the hack. Email addresses and phone numbers are used as login credentials and backups for many different accounts—and not just on social media platforms. It is entirely possible for an attacker to hijack someone’s phone and access shopping profiles or even banking accounts linked to that number. The fact that most online accounts are accessed and even verified through mobile devices makes phone numbers quite valuable.

Best Practices and Solutions

As more attackers target online accounts, users have to be aware of the security measures available to them. Some tips for managing your online accounts:

  • Limit the amount of personal information on your accounts, so that the damage is somewhat limited in a worst-case scenario.
  • Stay updated! Make sure you have the latest version of your apps installed so that you have the most current security measures from the vendor.
  • Most platforms are already equipped with two-factor authentication so make sure to install 2FA on all your online accounts.
  • Avoid reusing your password.
  • Monitor news and digital platforms for the latest news on compromises and hacks. 
  • Install a multilayered security solution on your mobile device.

Users and enterprises can benefit from mobile security solutions such as Trend Micro™ Mobile Security for Android™ (available on Google Play) and also Trend Micro™ Mobile Security for iOS™. Trend Micro™ Mobile Security for Enterprise provides businesses with device, compliance, and application management, data protection, and configuration provisioning. It also protects devices from attacks that leverage vulnerabilities, prevents unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

Updated: September 3, 2017 11:30 PM

Article was updated with news regarding "Doxagram"

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.