Instagram data from 14 million profiles found in insecure database, researcher says

Written by

Information about more than 14 million Instagram accounts is being kept in an insecure database that could render users vulnerable to hackers, a security researcher told CyberScoop Friday.

Data including users’ profile names, stored links to profile pictures and their Instagram ID is available in the database, which researcher Oliver Hough found on the Shodan web scanning service. The database, physically located in the U.K., includes 14,526,602 entries, according to a screenshot Hough tweeted Friday. Entries also have empty fields for home addresses and telephone numbers, he said.

It’s not clear who is logging the information. But Hough suggested a third party could be scraping Instagram and storing public data for analysis later, either for targeted marketing or another purpose. He suggested the information could be combined with unrelated databases of stolen passwords, which hackers could correlate with the usernames leaked here to try to infiltrate victims’ accounts.

“On the black hat side of things, well, it’s 14 million valid usernames,” he said. “Combine that with large password lists and I’m sure it would be a fun day.”

Instagram did not respond to multiple requests for comment from CyberScoop.

Social media companies previously have tried to stop outsiders from scraping public information about user profiles.

Professional networking site LinkedIn is trying to prevent hiQ Labs, a data science company, from using public data about LinkedIn user data to predict which employees who are most likely to be seeking a new job. The company sells information to clients including CapitalOne, eBay and GoDaddy, according to Courthouse News. LinkedIn argued hiQ violated the Computer Fraud and Abuse Act, a 1984, anti-hacking law, by using bots to take public data.

That case is still pending in the Ninth Circuit Court of Appeals.