Instagram appears to have spent the long weekend buying up internet domains that hackers might try to use to sell contact information stolen last week from as many as 6 million of the social media app’s 700 million user accounts.
A company spokeswoman declined to comment Tuesday to CyberScoop about a news report over the weekend that Instagram, through brand reputation management outfit Mark Monitor, had been buying up hundreds of web domains using the word “Doxagram.” That’s the name of the website first used by hackers to sell for $10 a pop the stolen data scraped from Instagram through a security flaw in an application programming interface or API.
Last week, the hackers were kicked off Doxagram.com and two other sites they subsequently migrated to. Over the weekend the appeared to find a home on the dark web, where the Tor service bounces encrypted traffic around the internet to disguise its origin and destination.
The Daily Beast reported the 280 domain buys on Monday night, using internet records maintained by RiskIQ’s Passive Total DNS . The domains purchased included doxagram.lol, doxagram.website, and doxagram.org, according to the Daily Beast. “The domains list a Facebook email address as the point of contact, and ‘Instagram LLC’ as the domain administrator,” and were purchased through registrar Mark Monitor, the publication reported. Mark Monitor did not respond to a request for comment.
Hackers told the Daily Beast and other online news outlets last week that they had successfully scraped 6 million accounts for user names, phone numbers and email addresses — but not passwords — exploiting a flaw in the API before Instagram patched it last week.
Security experts told CyberScoop that the attack should be a “wakeup call” for enterprises to give a higher priority to API security in their software development cycle.