A massive database containing contact information of millions of Instagram influencers, celebrities and brand accounts is leaking sensitive information to the web.
The database, hosted by Amazon Web Services (AWS), was left exposed to web without any password protection, allowing anyone to peek into it.
At the time it was first found, the database had more than 49 million records - but was growing by the hour.
From a brief review of the data, each record contained public data taken from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified or not, and their location by city and country.
It also contained some other private information, such as contact email address and phone number.
It was security researcher Anurag Sen who first discovered the database and alerted TechCrunch in an effort to find the owner and get the database secured.
TechCrunch traced the database back to a social media marketing firm Chtrbox based in Mumbai, India, which pays influencers to post sponsored content on their accounts.
This can be seen inside the database record, in which has fields that calculated the worth of each account, based on the number of followers, engagement, reach, likes and shares they had. These metrics were used to determine how much a client would have to pay the Instagram influencer to post an ad.
After TechCrunch managed to contact several of the affected people in random, using the phone number found in the database, two people responded to TechCrunch's inquiry and confirmed their email address and phone number found in the database was used to set up their Instagram accounts.
However, neither of them said that they had any involvement with Chtrbox.
After the new spread, it didn't take long until Chtrbox took the database offline.
It was later discovered that the database was actually a place to store scraped information gathered by hackers. The information was leaked due to a security bug Instagram previously found in its developer API, which allowed hackers to obtain email addresses and phone number of six million Instagram users.
The hackers later sold the data for Bitcoin.
Facebook, which owns Instagram, is said to have looked into the matter, and fixed the issue by choked its API to limit the number of requests apps and developers can make on the platform.
"We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources," said the company in an announcement.
"We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available."