Facebook owned Instagram said that unknown hackers have exploited a critical bug in its server and have stolen personal details, including contact, e-mail addresses, and phone numbers etc. belonging to top celebrities and are trading them on underground hacking forums.
The warning came on Wednesday when Instagram sent emails to celebrities with verified accounts on the platform explaining what happened. Apparently, hackers exploited a bug (which has now been fixed) to steal data – however, no passwords were stolen, the company claimed.
Instagram has confirmed the hack and said in a statement that: “We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information—specifically email address and phone number—by exploiting a bug in an Instagram API. No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.”
“Our main concern is for the safety and security of our community. At this point, we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue. As always, we encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts, and e-mails.”
The IT security researchers at Kaspersky were the first to notice hackers trading personal data of celebrities on hacking forums. The researchers reveal the methods by which hackers were able to obtain confidential information from users.
The researchers noticed that the vulnerability had lodged in the mobile version of Instagram 8.5.1, launched in 2016 (the current version is 12.0.0). The attack procedure is relatively simple: using the obsolete version of the application, cyber criminals used the password reset function and intercepted the query using a web proxy. Then they selected a victim and sent a query to the Instagram server under the username or victim identifier. The server then returns a JSON response containing the victim’s personal information that includes sensitive data such as phone number and email.
Kaspersky Lab advises users who still use older versions of the application to upgrade them to the latest version of Instagram. Another tip: to be safe on social networks, it is important to use different email addresses for each network and to report any irregular activity to the social network. More importantly, if you receive a password reset email that was not personally requested, immediately notify the social network.
It’s not worthy that the bug was used the same time when a couple of days ago, Selena Gomez’s had her Instagram account compromised. The unknown hackers or hacker then posted several nude pictures of Justin Bieber.
This, however, is not the first time when Instagram has been hacked. Last year, a 10-year-old kid found exploited a critical security flaw allowing him to delete comments and descriptions from any Instagram picture. In December 2015, a security researcher hacked Instagram and got its admin panel access, but in return, Facebook threatened to sue researcher for his findings.