Last week, Instagram pushed out a patch for a bug in the service’s API that allowed attackers to discover users’ email address and/or phone number.
Facebook-owned Instagram downplayed the risk by saying that attackers have used it to extract contact information of “a number” of high-profile Instagram users, and that no passwords were compromised.
The attack process
Kaspersky Lab researchers, who found the flaw and shared information about it with Instagram, said that while the attack process is relatively simple, it takes time and effort to pull off.
“Using the outdated application the attacker selects the reset password option and captures the request using a web proxy. They then select a victim and send a request to Instagram’s server carrying the target’s unique identifier or username. The server returns a JSON response with the victim’s personal information including sensitive data such as email and phone number,” they explained.
“The attacks are quite labor intensive: each one has to be done manually since Instagram uses mathematical calculations to prevent attackers from automating the request form.”
User data offered for sale
The researchers spotted the hackers on an underground forum, trading the personal credentials for celebrity accounts, and presumably that’s when they went searching for the bug.
But for how long the attackers were actually “mining” the information is unknown. If each account has to be “mined” manually, it could be that they were doing this for a while, as they now claim to have information from over 6 million Instagram accounts. They are selling the stolen data both on the Internet and the dark web, and are asking $10 for information tied to one account. They named their “service” Doxagram.
The Daily Beast received a sample of the stolen data directly from the hackers, and tested it. They discovered that some of the information corresponds to that provided by the users, and that many of the email addresses on the list did not come up when searched for through Google Search or in public databases, meaning that they were likely obtained from some private source.
“Some of the accounts in the list are seemingly high profile. One entry is allegedly for the official President of the United States’ Instagram account,” The Daily Beast noted. Others appear to belong to celebrities, sport stars, media companies, etc.
Reportedly, the attackers automated the information harvesting process through a scraper, and made it first target the accounts with over one million followers.
Instagram is trying to minimize the damage by buying as many Doxagram-themed domains as possible, and repeatedly booting the Doxagram site from various domains. At the moment, the site is located on doxagram.su, but that’s likely to change soon. The attackers have also set up a Twitter account through which they publicize each change of domain.
The dark web variant of the site will be much more difficult to shut down.
While passwords have not been compromised, users whose information has been harvested should be aware that it can be used in very targeted and believable phishing attacks.
High-profile users have likely already moved to change the compromised email address and phone number.
Finally, all users are advised to update their Instagram app to the latest, patched version (v12.0.0).