What Instagram Data Breaches Mean for Consumers
–– 1 Oct 2020
Privacy is paramount in the digital age. Unfortunately, social media companies like Instagram are often in the news due to privacy controversies, such as data breaches.
In recent years, the spotlight has shifted to Instagram because its user data has turned up in various online databases belonging to third-party companies. Below, we’ll cover why this is happening and what an Instagram data breach could mean for you.
How do Instagram data breaches happen?
Instagram data breaches happen when companies that own databases containing the private information of Instagram users don’t put strong enough security measures in place to keep people out.
Hackers can then access your personal data and use it for nefarious purposes.They’ll often exploit third-party software applications that aren’t written well to break into databases.
They may also use malware to break in. For example, a hacker might send you an email with a link to a website. When you click the link, the malware can do its thing and get into your database.
One surprisingly common cause of Instagram data breaches is a weak password—or even a lack of a password—for the database.
This is where we should mention that Instagram isn’t exposing data itself. It’s happening at the hands of third-party companies through a process called web scraping.
The problem of web scraping
Third parties (usually social media marketing/analytics platforms) are mishandling your data by using web scraping, an automated process for gathering large amounts of data.
Web scraping is legal, but social media companies strictly prohibit it to protect user privacy. The problem is, it’s hard to tell scraping bots apart from real accounts. That means that companies using web scraping don’t often get caught until it’s too late. Take a look at what we’re talking about:
Chtrbox is a Mumbai, India-based influencer marketing company that connects brands with influencers to launch Instagram marketing campaigns. It used Amazon Web Services (AWS) to build its database containing its influencer clientele.
That database eventually caused an Instagram data breach.
In May 2020, a security researcher found that, for some reason, this AWS database was online without a password for 72 hours before Chtrbox pulled it offline. This oversight led to the exposure of at least 49 million users’ sensitive data—although Chtrbox claimed that only 350,000 users were affected.
Deep Social is a recently-defunct influencer marketing and analytics company that provided brands with deep insights into influencers and their audiences. The company obtained this data through web scraping.
Eventually, Facebook and Instagram banned Deep Social from their APIs and threatened legal action, forcing the company to shut down.
But that scraped data ended up in an online database. The data included names, emails, pictures, phone numbers, and Instagram follower count stats of nearly 235 million social media profiles. In 2020, security researchers found that database unprotected by a password or any other form of authentication.
Social Captain is a bot that does a variety of tasks automatically—liking images, commenting on hashtagged posts, following other profiles, etc.—to help its users gain Instagram followers.
Social Captain’s database was password-protected, with one small issue: You could bypass the login screen easily.
See, every user’s Social Captain profile had a unique user ID code. By plugging this ID into Social Captain’s URL, you could land on a user’s profile page without logging in.
To make matters worse, Social Captain stored its users’ linked login details in plain text. You could view your Social Captain profile page’s source code and see your Instagram username and password.
So, in theory, a hacker could bypass the Social Captain login screen and gather Instagram login information with ease—as long as they know the unique user IDs. User IDs were sequential for the most part, so hackers could collect Instagram login details from numerous users in a short time.
Why these Instagram data breaches are a big deal
You might think that someone having access to a piece of info like your first name isn’t a big deal, but this data accumulates over time with data from other breaches.
Bad actors could potentially piece together your personal data from an Instagram data breach and a past breach on a different site, then hack into any accounts you own.
For example, your name and email address alone might not be enough to hack into your bank account. But if you use the same password for your bank as you do for an account with an e-commerce store, and that e-commerce store has a data breach, a hacker could have everything they need to break into your bank account.
Scammers can also use your personal information to target you in phishing campaigns. The data they need is generally publicly available, but a database’s size renders it more vulnerable to use in a mass scamming effort.
Bad actors might even use your information to target others. They could create fake social media accounts with your info and pictures to attract followers, then promote scams and misinformation.
Keep yourself safe online
As these Instagram data breaches come to light, it’s vital to keep your data as safe as possible and know what to do if your personal data is exposed in a breach. Make sure to take steps to stop Instagram from taking your data to maximize your protection in case of another breach.