Cyber Incident Victim: Instagram
Date:
Aug 2017
Location:
United States of America
Summary
A security vulnerability in Instagram allowed unauthorized access to users' phone numbers and email addresses, with an attacker claiming extraction of data from six million accounts sold via a searchable website at $10 per query. Analysis of a provided 10,000-record sample confirmed legitimacy, impacting high-profile users and suggesting automated exploitation at a rate of one million accounts hourly before the platform patched the flaw within approximately 12 hours. The incident exposed sensitive contact information, potentially affecting millions, while the company acknowledged the claims and initiated an investigation into the breach's scope.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late August 2017, a security vulnerability in Instagram's systems was exploited to harvest personal data from user accounts, initially believed to affect a limited number of high-profile celebrities. On August 31, evidence emerged suggesting a significantly broader breach when an individual contacted Ars Technica claiming possession of scraped data from 6 million Instagram accounts. The attacker operated a website selling access to this database at $10 per search query and provided a sample of 10,000 records for verification. Analysis by Ars Technica and security researcher Troy Hunt examined the sample, which contained 9,911 records with either phone numbers or email addresses—5,341 with phone numbers alone and 4,341 with both phone numbers and emails. The data exhibited strong indicators of authenticity, including geographic consistency between account profiles and corresponding country codes in phone numbers, as well as accurate associations with real Instagram usernames, including accounts with millions of followers.
The attacker stated they discovered the vulnerability through an IRC channel discussion and developed an automated exploit capable of harvesting data at approximately 1 million accounts per hour, contradicting initial assessments that manual access was required. This automation enabled rapid data extraction until Instagram patched the security hole roughly 12 hours after the mass exploitation began. At the reported extraction rate, compromising Instagram's entire 700 million-user base would have taken nearly two weeks, though the attacker claimed possession of 6 million records. Instagram confirmed awareness of the claims and initiated an investigation but had not verified the data's authenticity at the time of reporting. The attacker reported earning approximately $500 from 12 transactions within six hours of launching the service. The incident exposed millions of email addresses and phone numbers to potential misuse, with evidence suggesting other threat actors might have independently exploited the same vulnerability prior to its remediation.