Instagram Account Leaks: Data Linked to Millions of Influencers, Celebrities and Brands Exposed

Instagram logo
The social media application logo Instagram is displayed on the screen of a computer on March 15, 2019 in Paris, France. Chesnot/Getty Images

Instagram has launched an investigation after a database containing public data linked to millions of accounts was allegedly exposed online without a password.

TechCrunch first reported the trove of information had been collected by a company based in India called Chtrbox. Some leaked details included contact information of influencers and celebrities, alongside public data scraped from profiles such as images and bios.

In a statement today, a spokesperson at the Facebook-owned app, said: "We are investigating whether a third party improperly stored Instagram data, in violation of our policies.

"It's also not clear whether the phone numbers and emails in Chtrbox's database came from Instagram. Regardless, the possibility of third parties mishandling user data is something we take seriously, which is why we're quickly working to understand what happened."

The exposed database, holding more than 49 million records, was discovered by a security researcher called Anurag Sen. It was not immediately clear how long it had been left unprotected. It has since been taken offline and is no longer accessible, TechCrunch reported.

According to its website, Chtrbox connects brands with influencers. It claims to have worked with big-name companies including Nike, Nokia, Ray Ban, HP, Puma, and Tropicana.

Chtrbox says it uses an "influencer base" for content creation, social media shout-outs, products reviews and launch events. The system matches the objectives of a brand's campaign to the right influencers. Creators then share the campaign with their followers—driving sales.

"We help you access the growing network of emerging and established influencers—Digital Celebs, YouTubers, Instagrammers, Twitteratis, Bloggers, Snapchatters, Thought Leaders, Socializers, Mom influencers, Campus Influencers—you name it!" a description reads.

Indeed, some of the records in the exposed database were seemingly highlighting the "worth" of an Instagram user's account based on follower engagement, TechCrunch reported.

Interestingly, some of the victims identified by the outlet claimed to have no involvement with Chtrbox. It was not yet clear how Chtrbox had obtained their personal contact details. Per the Instagram statement, it is possible data was obtained from a third party.

Instagram boasts more than one billion monthly active users. Mass scraping of data from public accounts would be a violation of Instagram policy.

A page outlining the photo-sharing app's terms of service includes the warning: "You can't attempt to create accounts or access or collect information in unauthorized ways. This includes creating accounts or collecting information in an automated way without our express permission."

A Chtrbox spokesperson said: "The reports on a leak of private data are inaccurate. A particular database for limited influencers was inadvertently exposed for approximately 72 hours.

"This database did not include any sensitive personal data and only contained information available from the public domain, or self reported by influencers.

"We would like to affirm that no personal data has been sourced through unethical means. Our database is for internal research use only, we have never sold individual data or our database, and we have never purchased hacked-data resulting from social media platform breaches. Our use of our database is limited to help our team connect with the right influencers to support influencers to monetize their online presence."

Update (May 24): In a statement, an Instagram spokesperson said: "We take any allegation of data misuse seriously. Following an initial investigation into the claims made in this story, we found that no private emails or phone numbers of Instagram users were accessed. Chtrbox's database had publicly available information from many sources, one of which was Instagram." According to the company, Chtrbox had data from 350,000 of its users in the database.

This article has been updated with additional comment from Instagram, post-investigation.