Attackers exploited Instagram API bug to access users’ contact info

Instagram has confirmed that “one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API.”

attackers exploited Instagram API bug

Apparently, no account passwords were exposed.

No more details about the bug were shared, only that it has now been fixed. They also didn’t say whether the bug affected only verified or all types of Instagram accounts, or whether the stolen information was used to compromise verified accounts.

American singer and actor Selena Gomez has recently had her Instagram account hijacked by attackers who went on to post nude photos of former boyfriend Justin Bieber, but it is unknown whether that hijack has anything to do with this bug.

The Facebook-owned company has notified verified members of the hack, and has urged users “to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails.”

UPDATE: The bug was discovered by Kaspersky Lab researchers and information about it was shared with Instagram.

“The researchers discovered that the vulnerability exists in Instagram mobile version 8.5.1, released in 2016 (the current version is 12.0.0). The attack process is relatively simple: using the outdated application the attacker selects the reset password option and captures the request using a web proxy. They then select a victim and send a request to Instagram’s server carrying the target’s unique identifier or username. The server returns a JSON response with the victim’s personal information including sensitive data such as email and phone number,” they explained.

“The attacks are quite labor intensive: each one has to be done manually since Instagram uses mathematical calculations to prevent attackers from automating the request form. The hackers were spotted on an underground forum, trading the personal credentials for celebrity accounts.”

Users are advised to update immediately to the latest available version of the app.

“Other useful advice for staying safe on social media includes using different email addresses for different social platforms, reporting any concerns or irregularities to the network – and, most of all: if you receive emails about a password restore that you have not initiated, alert the network immediately,” the researchers added.