An unsecured Chtrbox database hosted by Amazon Web Services (AWS) and discovered by security researcher Anurag Sen has exposed the records of more than 49 million Instagram influencers.
Data scraped from the accounts include bios, account details like number of followers, location information, email addresses, phone numbers and profile pictures as well as a calculated valuation of each account, according to a TechCrunch report.
Chtrbox, based in Mumbai, pays influencers including celebrities to post sponsored content.
"Influencers, celebrities and brands carry a lot of clout on social media with their ability to impact their followers’ sentiments and actions," said Kevin Gosschalk, CEO and co-founder of Arkose. The exposure of Instagram influencers and celebrities "is a timely reminder of the deep responsibility a company has to protect the mass amount of data that it collects," said Gosschalk.
Social media marketing firm Chtrbox has taken the database offline. Instagram’s parent company Facebook said in a statement that it is investigating – querying Chtrbox as to the origins of the data and how it came to be exposed. "We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources," Facebook said.
"Facebook, which owns Instagram, said it was looking into the matter. Alternatively, as the old gag goes – ‘Facebook has been advised of yet another security hole. Mark Zuckerberg is looking into it,’" said Colin Bastable, CEO at Lucy Security. "Of course, it is no joke for the 49 million influencers, but anyone who entrusts their data to any part of the Facebook business must expect it to have a resale value."
The Instagram incident is the latest in a long string of unsecured databases that expose massive quantities of data.
"Very often, we find that some database accessible storing private, sensitive data in the application layer is accessible over the internet," said Ameya Talwalkar, Co-founder and CPO of Cequence Security. "In most cases, there is no inherent security built into these databases. That is because they are meant to be accessed by other services and applications in the application tier – post authentication."
Noting the "notion of explicit trust between the services/applications using these databases," Talwalker explained, "In cases where these databases have some security/authentication support, it is usually not turned ON, in order to serve queries as fast as possible, based on the explicit trust model. As these application tiers are changing very rapidly due to fast dev-ops cycles, there is frequent change happening in that application tier."
Those changes sometimes "leave sensitive databases wide open for access from the public internet" and information vulnerable to hackers who scrape it and sell it, he said.
"Ignorance is not an excuse, especially after multiple incidents," said Sam Curry, chief security officer at Cybereason in an email to SC Media UK. "Facebook desperately needs to rethink privacy and security, because it would seem that if you want to give your PII to the world, you should just sign up for one of their social media services," he said.
Calling the Instagram exposure "yet another instance of a company failing to even use a password, which is a shocking phenomenon because it is the most basic form of security," Arkose's Gosschalk called for organisations to step up and protect databases and the sensitive information they house.
"Time is up – companies need to be proactively protecting their attack surface, especially online databases containing valuable customer records, to protect their digital ecosystems against damaging cyberattacks," he said.
"Consumers should take a least-information-shared posture," added Cybereason's Curry. "Further, it is now past time for good hygiene with passwords and devices security. In particular, invest in a password vault and keep strong, unique passwords by site."
The original version of this article was published on SC Media US.