On November 10, a dataset purportedly containing records of 489 million Instagram users appeared for sale on a notorious hacker forum. With Instagram boasting over two billion monthly active users, this breach, if legitimate, would impact nearly a quarter of the platform’s global user base. The threat actor has shared a sample of over 100 user records, offering a glimpse into the data they claim to have obtained.
What Data Was Exposed?
The leaked sample suggests that both public and private details were scraped, including:
Username and Name
Email Addresses
Biography and External URL
Follower and Following Counts
Location and Account Creation Date
Account Category (e.g., Business, Influencer)
Targeted Username, User ID, and Scrape ID
If the claims are accurate, this data could enable cybercriminals to conduct highly targeted attacks, with a focus on impersonation, phishing, and social engineering.
Is the alleged stolen Data Authentic?
While threat actors often exaggerate data quality to drive sales, Cyberdefendnews researchers found the Instagram profiles in the sample appear legitimate. However, the email addresses provided were not in previously compromised datasets, suggesting that this could be either genuinely new data or, conversely, a well-constructed fabrication.
Cyberdefendnews researchers point out, “Public APIs should not expose such information as user email addresses if they are not openly accessible through the service.” If the hacker’s claims are valid, this would indicate either an exposed private API or a vulnerability in Instagram’s public API, specifically one that may lack proper Broken Object Property Level Authorization.
Potential Risks for Instagram Users
If this dataset is authentic, Instagram users, especially high-profile accounts and businesses, face elevated risks. Bad actors could exploit data to impersonate users, launch phishing campaigns, or execute social engineering schemes. With detailed knowledge of followers and following lists, cybercriminals could craft convincing messages or phishing links that users might mistake for authentic.
Business accounts and influencers with large following may be at even higher risk for brand impersonation, putting them and their followers at risk for financial scams and brand reputation damage.
Meta’s Response and Legal Implications
Cyberdefendnews reached out to Meta and there was no comment. While scraping data from a platform remains a legal gray area, Meta’s terms prohibit data scraping via automation without permission. Meta reportedly has a dedicated External Data Misuse (EDM) team focused on curbing scraping attempts. The EDM team collaborates with threat intelligence researchers and hosting vendors to detect and dismantle illegal datasets from circulating on hacker forums.
This incident highlights the complex and evolving challenge of data security for social media platforms and their billions of users worldwide.