Comparitech says that, based on the samples it collected, one in five records contained either a telephone number or email address. Every record also included at least some, sometimes all, the following information: Profile name; Full real name; Profile photo; and Account description. Statistics about follower engagement, including: Number of followers; Engagement rate; Follower growth rate; Audience gender; Audience age; Audience location; Likes; Last post timestamp; Age; and Gender. “The information would probably be most valuable to spammers and cybercriminals running phishing campaigns,” Paul Bischoff, Comparitech editor, says. “Even though the data is publicly accessible, the fact that it was leaked in aggregate as a well-structured database makes it much more valuable than each profile would be in isolation,” Bischoff adds. Indeed, Bischoff told me that it would be easy for a bot to use the database to post targeted spam comments on any Instagram profile matching criteria such as gender, age or number of followers.
The data appeared to have originated from a company called Deep Social, which was banned by both Facebook and Instagram in 2018 after scraping user profile data. The company was wound down sometime after this.
The researchers reached out to Deep Social, which then forwarded the disclosure to a Hong Kong-registered social media influencer data-marketing company called Social Data. Social Data shut down the database about three hours after the researchers’ initial email. “Social Data has denied any connection between itself and Deep Social,” reports Forbes, citing Comparitech.