Another day, another security issue for the Facebook family of companies. This time out, an Instagram data leak was discovered, exposing hidden contact information including the real names of millions of Instagram users and their phone numbers.
The silver lining here is that the leak was discovered by a white-hat hacker / security researcher and was patched by Facebook before there was any other known illicit access. Of course, “known” access is the key term here. Given that the hack was relatively simple and did not require advanced technical skill, it is quite possible that other parties have accessed private Instagram information in this way.
Details of the Instagram data leak
The other silver lining to this Instagram data leak is that it did not appear to expose any payment information. It was limited to looking up personal contact information by way of a set of vulnerabilities in the platform’s login form and its “Sync Contacts” feature. Forbes corroborated the story by having the Israeli hacker, who goes by the handle ZHacker13, access account data that reporters knew to be accurate.
The hack began with a simple brute force login attempt through the standard Instagram web interface. The hacker found a means to feed phone numbers to the login form, which would then flag the number if it was in use by an account. Instagram did not limit the amount of attempts one could run.
With a list of phone numbers known to be attached to accounts at hand, the hacker could then set up a new account and attempt to sync contacts by entering the known valid phone numbers. Valid phone number matches would link to the holder’s account number and return their real name. The only limitation to this phase of the attack is a three-per-day restriction on synced contacts with each account, but the attacker could get around this with multiple accounts.
This vulnerability in Instagram cannot be used to gain illicit access to accounts, but the phone numbers and real names it exposed are frequently not meant to be seen by the public. Knowledge of the phone number connected to the account could create a pathway for an attacker to take it over by way of a SIM swap attack.
Instagram issued a statement that the vulnerability had been patched out and that there was no illicit access of data in this way prior to the discovery, but it is always difficult to know these things for sure. Companies often do not learn of prior illicit access until account information starts appearing in dark web collections.
The last year or so has been quite bad for Instagram.
Last August, the platform saw a group of Russian hackers take control of hundreds of accounts. The hackers changed profile information and contact email addresses for purposes that are still not entirely clear. Users complained that it was excessively difficult to get access to their account restored, with the process often taking a number of days and multiple emails to the company.
The company also suffered two major data breaches that exposed the information of tens of millions of users. A third-party attack on influencer services contractor Chatrbox exposed the personal information of 49 million Instagram personalities, while a mysterious unsecured Amazon S3 database owned by an unknown United Kingdom company was found that contained private user information for 14 million more accounts. That makes this the third serious Instagram data leak within a year.
Of course, parent company Facebook has also been having a rough time. The social media giant has been embroiled in about two straight years of major data privacy controversies, dating back to the news of the massive Cambridge Analytica leak.
The increasing value of “public” contact information
Breaches like this recent Instagram data leak are sometimes met with an attitude of indifference; what can someone do with your name and phone number?
In isolation, perhaps not much. This information often manages to find its way into open collections traded through underground sources, however, and sometimes even dumped to the general public. Each piece makes it easier for a scammer or hacker to pull off some sort of confidence scheme or take over an account.
We touched on SIM swap attacks earlier, in which a hacker takes over a cellular phone account through nothing more than a call to the telco’s customer service line. The key to pulling off one of these attacks is knowing the target’s phone number and which of their online accounts it is connected to as a two-factor authentication method. That’s one of the main concerns with this recent Instagram data leak.
Each piece of contact information also helps to build a profile that can be used for very convincing phishing email attacks. In addition to being a risk to the financial information of individuals, phishing is usually the first step in breaching and gaining full access to business networks.
Each individual breach may only drop a few user details, but these trickles of information tend to flow to the dark web and coalesce in massive collections of data with detailed personal profiles available to anyone who is interested.
Protection from data leaks
At the consumer end, all that can be done is due diligence on the companies that are trusted with personal contact information. Aside from being cautious in sharing their own data, all consumers can do is demand that companies be better at this and vote with their feet (and for tighter regulations) when they get it wrong. In isolation, the Instagram data leak might seem like something minor enough to overlook. When taken with the other issues Instagram and Facebook have experienced recently, it’s not surprising that the platforms have seen recent drops in activity.
Chris DeRamus, co-founder and CTO, DivvyCloud, expanded on how companies can do better at their end:
“Security vulnerabilities such as this are often due to a misconfiguration. Organizations must do a better job at being proactive in ensuring their data is protected with automated security controls. Even companies with seemingly endless resources struggle with identifying and remediating misconfigurations and other vulnerabilities in real time. This risk is even greater when using cloud service providers, and organizations cannot wait to invest in security solutions that can detect misconfigurations and alert the appropriate personnel to correct the issue, or even trigger automated remediation in real-time to better safeguard sensitive data and maintain trust among users and customers.”
Anurag Kahol, CTO, Bitglass, makes the case for both better real-time data protection by companies and more proactive penetration testing to find these leaks of contact details internally before random internet people (or threat actors) come across them:
“There is an important distinction between what a user chooses to make public, such as a unique handle or username, and the personally identifiable information (PII) that they use to create accounts. When individuals make user profiles for any given service, they trust that their PII will be kept secure. While Instagram exposed users’ passwords a little less than a year ago, it appears that the company did not sufficiently learn its lesson. Instagram is now reported as having left names, account numbers, and phone numbers exposed, as well.
“While there are no signs that credentials were leaked or data was stolen by hackers, users could have had their accounts and information exposed if a researcher hadn’t found the issue and intervened. Companies cannot rely on others to find their security issues and instead must take a more proactive approach to defending user data. Organizations that have complete visibility and control over their data are in a better position to identify and remediate vulnerabilities that could be exploited by malicious actors. The days of reactive security have passed – real-time protections are now absolutely critical.”
The permanence of internet data makes this a high-stakes issue for both consumers and the companies that handle their personal information. One incident such as this recent Instagram data leak here, another cyber security incident there and scores of people can be dealing with identity fraud and phishing attempts for years. Protections for user accounts and corporate competence have to improve across the board to deal with this reality and prevent potential abuse.