Facebook took yet another blow last week when subsidiary site Instagram was breached, exposing the sensitive data of at least 49 million users. And the leak was caused by yet another unprotected Amazon Web Services (AWS) server connected to the internet, a trend that has ensnared a disturbing number of high-profile companies in recent years – including Facebook in a previous incident just last month.
The leak was discovered by security researcher Anurag Sen sometime in mid-May and published on May 20. The AWS database, which belonged to a Mumbai-based marketing company called Chtrbox, appears to have been online without a password for at least 72 hours. Roughly 1 out of 20 Instagram users was affected by this, but the exposed records appear to primarily be those of “influencers” and celebrities.
The Instagram breach did not expose financial information, but it did grant access to location and contact information that may not have been meant to be public. The exposed database contained the profile pictures, city and country location, phone number, email address and number of followers of each user.
Breaking down the Instagram breach
Chtrbox is a marketing tool for influencers on Instagram, used primarily to facilitate communication between brands looking for representation and the celebrities and high-profile users open to featuring their products. This breach thus did not impact the average Instagram user. The information in the insecure database was influencer metric and contact details for review of and use by interested brands.
The database was pulled offline after the report was published by TechCrunch, but had been online for at least 72 hours. The current exposed record count is at 49 million, but could potentially grow in the future.
This Instagram breach is yet another in a long list of AWS databases connected to the internet without proper security. These are generally discovered when either a security researcher or an enterprising cyber criminal port scans blocks of addresses, or uses a handful of other clever tricks such as searching certificate transparency logs.
It is not even the first breach of this nature for parent company Facebook in 2019; in April, 540 million Instagram account records were exposed by way of two open AWS buckets owned by Latin American digital media publisher Cultura Colectiva. The leak exposed data collected by a Facebook game called At The Pool, including the passwords used to access player accounts. Facebook’s WhatsApp also took a hit earlier in May when it was revealed that a vulnerability had been allowing hackers to install spyware on target devices through an infected voice call.
Questions in the wake of the breach
Chatrbox has issued a statement disputing the report, acknowledging the Instagram breach but claiming that the database only contains 350,000 records and that it did not contain private emails or phone numbers. Access to the database has been removed so it is impossible to verify this claim at this point. TechCrunch has added the Chatrbox statement to their article but is standing by the original number at this time.
Regardless of the total number of accounts exposed in this Instagram breach, one must wonder why any were still sitting in an unprotected AWS bucket after years of similar incidents. No company really has an excuse for allowing this to happen any longer, but particularly one associated with Facebook and handling their user information.
Pankaj Parekh, chief product and strategy officer at SecurityFirst commented:
“This breach is really two breaches. How did Chtrbox get access to the private data of millions of Instagram users? It might have been a known API exposure in Instagram – the investigation is ongoing. And why didn’t Chtrbox secure the data that they posted on AWS? Cloud-based storage needs to be secured – technology to secure data in the cloud is available. Both Chtrbox and Instagram took a light approach to securing personal data, and both should be penalized.”
As Parekh points out, it is still unclear whether Chtrbox was even authorized to have some of the sensitive contact information that was apparently in its possession. Instagram has had several issues with its API in the last two years, including an August 2017 incident that exposed the personal information of millions of users.
The timing of the Instagram breach is particularly bad for Facebook. The company really does not need anything more added to the seemingly endless string of gaffes that date all the way back to the Cambridge Analytica scandal of early 2018, but especially not with its “Project Libra” cryptocurrency poised to launch in early 2020. Data from Facebook users and accounts with its various subsidiary companies already has great value to hackers, but that value will skyrocket when access to these accounts could potentially grant access to tangible crypto funds.
According to Colin Bastable, CEO of Lucy Security:
“Facebook, which owns Instagram, said it was looking into the matter. Alternatively, as the old gag goes – ‘Facebook has been advised of yet another security hole. Mark Zuckerberg is looking into it.’
“Of course, it is no joke for the 49 million influencers, but anyone who entrusts their data to any part of the Facebook business must expect it to have a resale value.”
If financial information isn’t included, does it really matter?
Celebrities and public figures certainly do not want their private email address and phone number exposed, but setting that aside there does not appear to be much data in the Instagram breach that is of great concern.
The bigger issue is that these little bits and pieces of data are inevitably accumulated into monstrous repositories of personal information, typified by data dumps such as the “Collection” series. The more of this data that is accumulated about a business or an individual, the easier it is for an attacker to carry off a targeted phishing attack, account takeover or social engineering scam.
As Colin Little, Senior Threat Analyst, Centripetal Networks explains:
“This event confirms just how much like a toothpaste our own data is: once it’s out of the tube, it’s out and is never going back in. Phone numbers, email addresses, and other PII can be legally bought and sold and the only opportunity we have to consent to this act is to read the fine print or abstain from using the service; it can also be illegally acquired by criminals because the database within which they reside is improperly secured. In almost any other venue in the world, when I use the service of a business such as a mechanic, that mechanic is solely responsible for the quality and security of the product. I don’t have to see if VIP has checked a national muffler repair chain’s labor standard, and then find out that the chain contracts labor out to countless third parties. This is the risk of using online services, of even registering for an account: that this PII will be sold to third parties without my knowledge and without truly informed consent.”
Laurence Pitt, Strategic Security Director, Juniper Networks, expands on the scope of the danger:
“Over the last six months there have been many stories in the news where public cloud databases are being left without strong passwords and exposed for anyone to access. There’s documentation on how to do this, and even tools such as GrayHatWarfare that help people! In essence anyone with a small amount of know-how can find open databases, and with enough people looking it’s only a matter of time before a database with sensitive information is discovered. Something I do wonder is that with all the stories that we hear about discovered databases, and knowing that there’s about 45 MILLION open databases out there, how many databases get discovered and immediately sold on in secret to someone on the DarkNet?
With all the education for end-users about how strong passwords, biometrics and MFA are the way to protect ourselves, isn’t it about time that more organizations holding our data stepped up in the same way?”
Securing AWS Cloud Buckets
While a company of the size of Facebook should know better, data breaches due to failure to properly secure AWS buckets aren’t always a case of poor security practices or oversight. Speed and ease of integration with other applications is often at odds with proper security procedures.
Ameya Talwalkar, Co-founder and CPO, Cequence Security, summarizes the issue as follows:
“Very often, we find that some database accessible storing private, sensitive data in the application layer is accessible over the internet. In most cases, there is no inherent security built into these databases. That is because they are meant to be accessed by other services and applications in the application tier – post authentication.
“There is a notion of explicit trust between the services/applications using these databases. In cases where these databases have some security/authentication support, it is usually not turned ON, in order to serve queries as fast as possible, based on the explicit trust model. As these application tiers are changing very rapidly due to fast dev-ops cycles, there is frequent change happening in that application tier. In some instances, these changes leave sensitive databases wide open for access from the public internet. These unintended exposures are due to errors in firewall policies, moving of security zones, moving of workloads and load balancing.
“Unfortunately, enterprises don’t discover such errors until after such a breach is widely reported on by media, and a lot of damage to users and to the brand has already resulted.
“How is this happening? The attackers are constantly scanning open/accessible servers/services on the internet. They are getting more focused on services that are hosted in the Public/Private cloud environments, where they know environments change frequently, which leads to higher probability of errors in security policies. When they discover such sensitive databases, they go after scraping as much data they can from them. That’s what happened to USPS in the past, and to Instagram influencers today.”
Each business will have its own unique challenges in terms of integrating legacy devices and APIs with Amazon AWS cloud services. A good place to start is with Amazon’s AWS Security Best Practices white paper. Another item to look at is the new default encryption setting for new EBS volumes. But whatever your individual business needs might be, this recent Instagram breach illustrates that AWS databases cannot be online without a password for any amount of time. Given the relative ease of scanning for them and the amount of people doing so, an unprotected bucket can realistically be located within a matter of hours.