All you need is ten bucks to get in touch with Taylor Swift, thanks to an Instagram data leak.
A seller on the darknet was able to harvest the email addresses and phone numbers of up to 500 celebrities by way of a bug in the popular photo-focused social network. The flaw let hackers steal a user’s credentials and was patched after researchers with Kaspersky Lab warned Instagram on Tuesday.
Nevertheless, contact info for hundreds of celebrities is now for sale on the darknet via a searchable database, at $10 per query, researchers from security company RepKnight discovered. The sellers are going by the name Doxagram, a combination of Instagram and “doxxing,” a term for dumping someone’s private info, or documents, online.
The group is offering contact data on stars like Miley Cyrus, Beyonce, Leonardo DiCaprio, Emma Watson and boxer Floyd Mayweather. Info on as many as 500 A-list celebrities is in the database, Patrick Martin, a security analyst at RepKnight said. Information from the @POTUS account, which isn’t run by President Donald Trump, is also accessible.
“While Instagram has now fixed the bug that led to the leak, the cat is out of the bag, and those affected will have to take extra care to maintain their privacy,” Martin said.
Doxagram claims to have posted contact info for up to six million Instagram users in the searchable database. On a bitcoin forum, a user with the name Doxagram who was advertising the service wrote that the group offers “the only Instagram lookup service on the market” and can pull data on any Instagram account.
Instagram said it’s aware of the claim and is investigating.
Some listings have only email addresses, without phone numbers. On Friday morning, a person claiming to be behind Doxagram told Ars Technica the group had made $500 within six hours before the existence of the database was made public.
On Wednesday, after Instagram fixed the bug, the company sent an email to verified users warning them the attack was aimed at “high-profile users.” No passwords have been stolen, the company said. Still, leaked contact data can lead to phishing attacks and privacy breaches.
The flaw was in Instagram code that went into use in 2016, according to Kaspersky Lab researchers. Kaspersky said hackers looking to exploit the flaw would have had to do it manually, as Instagram’s protection prevented automated scraping. But the hackers told Ars Technica they were able to steal information from 1 million accounts an hour.
The Doxagram team didn’t respond to requests for comment.
iHate: CNET looks at how intolerance is taking over the internet.
The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.