A security researcher has discovered a publicly-accessible database containing the details of millions of Instagram users, including their contact information.

As TechCrunch reports, Anurag Sen discovered the database of more than 49 million records – exposed for anyone to access via the internet, no password required, on an unprotected Amazon Web Services bucket.

Each entry in the database included information apparently scraped from Instagram profiles: Users’ biography, profile picture, the number of people who follow them, whether the account is verified, their city and country, alongside more sensitive information such a the account owner’s email address and phone number.

However, it was the information found alongside these personal details which provided a clue as to where the data might have been leaked from, as TechCrunch explains:

We traced the database back to Mumbai-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts. Each record in the database contained a record that calculated the worth of each account, based off the number of followers, engagement, reach, likes and shares they had. This was used as a metric to determine how much the company could pay an Instagram celebrity or influencer to post an ad.

Chtrbox has posted a message on its website, saying it has secured its leaky server, but disputing details of TechCrunch’s report which they described as “inaccurate”:

In the 3+ years of operations, we have never had data of over 350,000 influencers so claims that Chtrbox is responsible for leaking information of millions are downright impossible and false. This database contained information already available from the public domain, with a nominal amount which was self reported by influencers. Other public data points such as number of followers and engagement metrics that helps us select relevant influencers for brand collaborations were (Read more...)