Instagram said Friday it is continuing to investigate a data breach linked to a flaw in its application programing interface that exposed user names, phone numbers and email addresses — but not passwords.
A hacker claims to have stolen data from 6 million accounts, and is offering them for sale at $10 apiece. “We take people’s security very seriously and are working closely with law enforcement on this matter,” the company said in statement emailed to CyberScoop.
Earlier in the week, Instagram said it had found and fixed a “bug” in its API. In a statement, it said the vulnerability had enabled “one or more individuals” to get “unlawful access” to contact information from a number of high-profile user accounts. The company was responding to the apparent hacking of actress and singer Selena Gomez’s account.
“We fixed the bug swiftly and are running a thorough investigation,” Instagram told CyberScoop Friday. The company said that the hackers initially appeared to have targeted high-profile accounts and that “out of an abundance of caution,” it had notified all verified users.
“After additional analysis,” the statement continued, “we have determined that this issue potentially impacted some non-verified accounts as well. Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.” The Facebook owned social-media platform has a reported 700 million users.
Gomez, with 126 million followers as of Friday, is the photo and video app’s biggest star. Earlier in the week, her account was apparently briefly hijacked and used to post previously published naked pictures of her ex-boyfriend, pop singer Justin Bieber.
But Thursday, a hacker contacted media outlets to advertise a website where, for a $10 fee, visitors can search for contact information — phone numbers, email addresses or both —from what they claimed were 6 million user accounts.
The outlets, Ars Technica and Daily Beast, did not give the website address, but both said they had been provided a sample of data and had managed to confirm that several randomly chosen accounts were genuine. The samples included data from Instagram accounts apparently belonging to Brazilian soccer star Cristiano Renaldo and the White House.
“The hack is a great example of how even when users do everything right, with strong passwords and best practices, attackers can sneak in underneath,” Eric Üner, CTO of mobile security specialists Redwall Technologies told CyberScoop.
The Daily Beast said it was able to use the hackers’ website to successfully get contact information for accounts of National Geographic magazine, pop star Jennifer Lopez, and other celebrities. The Daily Beast reported the website appeared to include “data on many of the top 50 most popular accounts on Instagram.”
“Social media is often targeted because it’s so widely used and contains a wealth of data. But attackers are not always after the just content itself — they may be more interested in your contacts and connections, and in the permissions the app has on your device,” noted Üner.
Attackers appear to have gained access though a security vulnerability in the API that had been discussed and shared in hacker chatrooms. An API is an interface that connects Instagram to other applications, to websites, and even to peripheral devices like printers.
Several security experts told CyberScoop that the attack should be a “wake up call” for enterprises to give a higher priority to API security in their software development cycle.
“API security should be much higher on the risk-scale for CISOs,” said Stephen Gates, chief research intelligence analyst for Zenedge — a company that offers a suite of security services including API protection.
“APIs are becoming a huge attack surface for hackers to exploit,” added Gates, noting that API insecurity had been added to the Open Web Application Security Project, or OWASP, list of Top 10 vulnerabilities.
“This is the continuing saga of cloud and mobile applications being exposed by API development toolkits that do not have inherent API security capabilities enabled,” added Jason Macy, CTO of Forum Systems. “This is largely because API developers are not security specialists and API tootkits and API management platforms are not security platforms.”