[BreachExchange] Instagram Data Leak Exposes Account Information Including Full Names and Phone Numbers

Destry Winant destry at riskbasedsecurity.com
Wed Sep 25 10:34:09 EDT 2019


Another day, another security issue for the Facebook family of
companies. This time out, an Instagram data leak was discovered,
exposing hidden contact information including the real names of
millions of Instagram users and their phone numbers.

The silver lining here is that the leak was discovered by a white-hat
hacker / security researcher and was patched by Facebook before there
was any other known illicit access. Of course, “known” access is the
key term here. Given that the hack was relatively simple and did not
require advanced technical skill, it is quite possible that other
parties have accessed private Instagram information in this way.

Details of the Instagram data leak

The other silver lining to this Instagram data leak is that it did not
appear to expose any payment information. It was limited to looking up
personal contact information by way of a set of vulnerabilities in the
platform’s login form and its “Sync Contacts” feature. Forbes
corroborated the story by having the Israeli hacker, who goes by the
handle ZHacker13, access account data that reporters knew to be

The hack began with a simple brute force login attempt through the
standard Instagram web interface. The hacker found a means to feed
phone numbers to the login form, which would then flag the number if
it was in use by an account. Instagram did not limit the amount of
attempts one could run.

With a list of phone numbers known to be attached to accounts at hand,
the hacker could then set up a new account and attempt to sync
contacts by entering the known valid phone numbers. Valid phone number
matches would link to the holder’s account number and return their
real name. The only limitation to this phase of the attack is a
three-per-day restriction on synced contacts with each account, but
the attacker could get around this with multiple accounts.

This vulnerability in Instagram cannot be used to gain illicit access
to accounts, but the phone numbers and real names it exposed are
frequently not meant to be seen by the public. Knowledge of the phone
number connected to the account could create a pathway for an attacker
to take it over by way of a SIM swap attack.

Instagram issued a statement that the vulnerability had been patched
out and that there was no illicit access of data in this way prior to
the discovery, but it is always difficult to know these things for
sure. Companies often do not learn of prior illicit access until
account information starts appearing in dark web collections.

Instagram issues

The last year or so has been quite bad for Instagram.

Last August, the platform saw a group of Russian hackers take control
of hundreds of accounts. The hackers changed profile information and
contact email addresses for purposes that are still not entirely
clear. Users complained that it was excessively difficult to get
access to their account restored, with the process often taking a
number of days and multiple emails to the company.

The company also suffered two major data breaches that exposed the
information of tens of millions of users. A third-party attack on
influencer services contractor Chatrbox exposed the personal
information of 49 million Instagram personalities, while a mysterious
unsecured Amazon S3 database owned by an unknown United Kingdom
company was found that contained private user information for 14
million more accounts. That makes this the third serious Instagram
data leak within a year.

Of course, parent company Facebook has also been having a rough time.
The social media giant has been embroiled in about two straight years
of major data privacy controversies, dating back to the news of the
massive Cambridge Analytica leak.

The increasing value of “public” contact information

Breaches like this recent Instagram data leak are sometimes met with
an attitude of indifference; what can someone do with your name and
phone number?

In isolation, perhaps not much. This information often manages to find
its way into open collections traded through underground sources,
however, and sometimes even dumped to the general public. Each piece
makes it easier for a scammer or hacker to pull off some sort of
confidence scheme or take over an account.

We touched on SIM swap attacks earlier, in which a hacker takes over a
cellular phone account through nothing more than a call to the telco’s
customer service line. The key to pulling off one of these attacks is
knowing the target’s phone number and which of their online accounts
it is connected to as a two-factor authentication method. That’s one
of the main concerns with this recent Instagram data leak.

Each piece of contact information also helps to build a profile that
can be used for very convincing phishing email attacks. In addition to
being a risk to the financial information of individuals, phishing is
usually the first step in breaching and gaining full access to
business networks.

Each individual breach may only drop a few user details, but these
trickles of information tend to flow to the dark web and coalesce in
massive collections of data with detailed personal profiles available
to anyone who is interested.

Protection from data leaks

At the consumer end, all that can be done is due diligence on the
companies that are trusted with personal contact information. Aside
from being cautious in sharing their own data, all consumers can do is
demand that companies be better at this and vote with their feet (and
for tighter regulations) when they get it wrong. In isolation, the
Instagram data leak might seem like something minor enough to
overlook. When taken with the other issues Instagram and Facebook have
experienced recently, it’s not surprising that the platforms have seen
recent drops in activity.

Chris DeRamus, co-founder and CTO, DivvyCloud, expanded on how
companies can do better at their end:

“Security vulnerabilities such as this are often due to a
misconfiguration. Organizations must do a better job at being
proactive in ensuring their data is protected with automated security
controls. Even companies with seemingly endless resources struggle
with identifying and remediating misconfigurations and other
vulnerabilities in real time. This risk is even greater when using
cloud service providers, and organizations cannot wait to invest in
security solutions that can detect misconfigurations and alert the
appropriate personnel to correct the issue, or even trigger automated
remediation in real-time to better safeguard sensitive data and
maintain trust among users and customers.”

Anurag Kahol, CTO, Bitglass, makes the case for both better real-time
data protection by companies and more proactive penetration testing to
find these leaks of contact details internally before random internet
people (or threat actors) come across them:

“There is an important distinction between what a user chooses to make
public, such as a unique handle or username, and the personally
identifiable information (PII) that they use to create accounts. When
individuals make user profiles for any given service, they trust that
their PII will be kept secure. While Instagram exposed users’
passwords a little less than a year ago, it appears that the company
did not sufficiently learn its lesson. Instagram is now reported as
having left names, account numbers, and phone numbers exposed, as

“While there are no signs that credentials were leaked or data was
stolen by hackers, users could have had their accounts and information
exposed if a researcher hadn’t found the issue and intervened.
Companies cannot rely on others to find their security issues and
instead must take a more proactive approach to defending user data.
Organizations that have complete visibility and control over their
data are in a better position to identify and remediate
vulnerabilities that could be exploited by malicious actors. The days
of reactive security have passed – real-time protections are now
absolutely critical.”

The permanence of internet data makes this a high-stakes issue for
both consumers and the companies that handle their personal
information. One incident such as this recent Instagram data leak
here, another cyber security incident there and scores of people can
be dealing with identity fraud and phishing attempts for years.
Protections for user accounts and corporate competence have to improve
across the board to deal with this reality and prevent potential

More information about the BreachExchange mailing list