(Updated) Private data (including rates) of 49M Instagram influencers leaked due to agency’s malpractice

instagram, screenshot, hide, likes, views, story, stories

Update (24/05/2019): After an internal investigation, an Instagram spokesperson said no personal data from Instagram was compromised, and it has revoked Chtrbox’s access to its API:

We take any allegation of data misuse seriously. Following an initial investigation into the claims made in this story, we found that no private emails or phone numbers of Instagram users were accessed. Chtrbox’s database had publicly available information from many sources, one of which was Instagram.

Additionally, Chtrbox clarified that the size of the database was 350,000 instead of 49 million as reported earlier. The agency found emails and phone numbers through other means than Instagram. The social network also said that it found no vulnerabilities in its platform that can expose personal data of users. 

Last night, TechCrunch reported that a massive database containing info of over 49 million Instagram influencers, celebrities, and brand accounts found in the open.

Security researcher Anurag Sen found the growing database hosted on Amazon Web Services (AWS) without a password. As per the report, the data contained influencers’ Instagram handles, bios, verification status, location, email, and phone number.

TechCrunch noted that the database belonged to ChtrBox, an Indian agency that pays influencers to post. The database also had calculation of how much an account is worth paying based on the number of followers and the likes they get on their posts. The company has taken the database offline after the report was published. We’ve reached out to ChtrBox and its founder Pranay Swarup to know more, and we’ll update the post accordingly if we hear back.

Instagram said in a statement that it’s investigating the matter:

We are investigating whether a third party improperly stored Instagram data, in violation of our policies. It’s also not clear whether the phone numbers and emails in Chtrbox’s database came from Instagram. Regardless, the possibility of third parties mishandling user data is something we take seriously, which is why we’re quickly working to understand what happened.

Last year, Instagram tightened its APIs to prevent data leaks. While information like bio and follower count can be obtained by scraping public APIs of the app, it’s unclear how the agency got hold of influencers’ private information.

Read next: You can now try out Microsoft's Edge browser for macOS