The recent hack of Selena Gomez’s Instagram account seems to only be the beginning of what could be a larger problem. According to several reports, the Gomez hack and several other “high profile” accounts are the result of a bug within Instagram that allowed access to some email addresses and phone numbers. In a statement, Instagram confirmed the bug and their fix for it, assuring users that no passwords were revealed:
We quickly fixed the bug, and have been working with law enforcement on the matter. Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.
Out of an abundance of caution, we encourage you to be vigilant about the security of your account, and exercise caution if you observe any suspicious activity such as unrecognized incoming calls, texts, or emails. Additionally, we’re encouraging you to report any unusual activity through our reporting tools. You can access those tools by tapping the “…” menu from your profile, selecting “Report a Problem” and then “Spam or Abuse.”
According to The Daily Beast, the bug may have been fixed but it exposed several users private information and led to it being sold on the Darknet, with hackers launching a site with a searchable database of information for $10 a search. A person behind the search engine, dubbed Doxagram, provided The Daily Beast with a list of 1,000 alleged Instagram accounts and claimed that the total was somewhere near 6 million:
“Instagram clearly hasn’t yet understood the full impact of this bug,” one of the people behind the site, dubbed ‘Doxagram,’ told The Daily Beast…
To verify the authenticity of the sample, The Daily Beast tried to create new accounts on Instagram with a random selection of email addresses from the list. In every case, the email address was already linked to an Instagram account.
Although the majority of the tested email addresses were also publicly available elsewhere on the internet, many did not return any relevant Google results, implying they were obtained from some private source. Many of the emails were also not included in large scale data breaches, such as LinkedIn, according to breach notification site Have I Been Pwned?, implying that the hackers may not have simply dug up records from previous, publicized security incidents.
Instagram currently has 700 million users worldwide, so the 6 million figure would indeed be a low percentage. But none of it is verified at this point apart from the list provided by one of the purported hackers. According to The Verge, cybersecurity firm RepKnight contact information for celebrities like Emilia Clarke, Emma Watson, Lady Gaga, Taylor Swift, and Snoop Dogg on the search, but they note that regular users could be at risk and that Instagram is unaware exactly what accounts were affected by the bug.
While no passwords were included, the personal info released would be a strong starting point for someone looking to invade an account. So, at the very least, it would seem like it is time to change your passwords and emails yet again.