Instagram said that unknown hackers have exploited a critical bug in its server and have stolen personal details, including contact, e-mail addresses, and phone numbers etc. belonging to top celebrities and are trading them on underground hacking forums.
The warning came on Wednesday when Instagram sent emails to celebrities with verified accounts on the platform explaining what happened. Apparently, hackers exploited a bug (which has now been fixed) to steal data – however, no passwords were stolen, the company claimed.
Instagram has confirmed the hack and said in a statement that:
“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information—specifically email address and phone number—by exploiting a bug in an Instagram API. No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.”
The IT security researchers at Kaspersky were the first to notice hackers trading personal data of celebrities on hacking forums. The researchers reveal the methods by which hackers were able to obtain confidential information from users.
The researchers noticed that the vulnerability had lodged in the mobile version of Instagram 8.5.1, launched in 2016 (the current version is 12.0.0). The attack procedure is relatively simple: using the obsolete version of the application, cyber criminals used the password reset function and intercepted the query using a web proxy. Then they selected a victim and sent a query to the Instagram server under the username or victim identifier. The server then returns a JSON response containing the victim’s personal information that includes sensitive data such as phone number and email.
Kaspersky Lab advises users who still use older versions of the application to upgrade them to the latest version of Instagram. Another tip: to be safe on social networks, it is important to use different email addresses for each network and to report any irregular activity to the social network. More importantly, if you receive a password reset email that was not personally requested, immediately notify the social network.