Huge stash of Instagram user data found online

A trove of private information from Instagram user was discovered open and unlocked in an online Amazon server. Here are 3 important things to learn about the event – even if you’re not an Instagram influencer and name was not on this list.

 Situation in a nutshell

Anurag Sen, a security researcher, found an unsecured online database of over 49 million records vacuumed up from Instagram user accounts with the help of Shodan, a search engine for exposed databases and devices. The details were scraped from the public data available for selected Instagram influencers and included their bios, number of followers, geographic location, and contact details. The database was managed by Chtrbox, an Indian social media marketing firm. Nobody is really saying who accumulated the data but it has since been taken offline.

1. Facebook (and Instagram) has not been private with your data

Beyond this latest issue, Facebook and Instagram do not have a sterling reputation when it comes to protecting users’ private data. This episode comes two years after a bug in the Instagram developer API let hackers get the email addresses and phone numbers of six million user accounts — and also two years after Instagram tweaking its API to limit the user data available to app developers. It’s not clear if the Chtrbox data was collected prior to these episodes.

2. Your personal data can get scraped up

The data seems to have been acquired by someone laboriously scraping it out of Instagram. While this seems to have been publicly available data – and that users willingly added to Instagram – it should make you wonder about the wisdom of having so much of your private information potentially available for the taking.

3. Servers work just like a rental storage facility

The database was found on servers hosted by Amazon Web Services – unlocked and unencrypted. AWS in this case works just like a rental storage locker – pay your money and the locker is yours to store your stuff. However, in this case the lock was not included in the deal and Chtrbox simply forgot or did not bother to use a lock. In addition, the server held details of other people (like you), not the company secret plans for market domination. Just remember, your data – whether stored online by yourself or some other company — is only as secure as the lock used.

Data security is not just about you

Even if you use long, customized, individual passwords for all of your accounts — your data can still leak out into the public sphere. Yes, you are only as secure as the people gathering up and compiling your private data decide to be.  Your job is to control and limit the amount of data they can collect whenever possible by using a VPN, password manager, and ad blocker.

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.