The story began with the hack of the Selena Gomez Instagram
account, a hacker hijacked it and published three nude photos of Justin Bieber.
A few days later, it was reported a vulnerability in the Instagram application that allowed hackers to access information for high-profile users including phone numbers and email addresses.
Stolen data could be used by hackers to target victims with social engineering attack aimed to access their accounts and leak their video and photos.
The vulnerability affects the Instagram application programming interface (API) that is used to interact with other apps.
The company confirmed it is investigating a data breach, an unknown hacker has stolen personal details of more than 6 million Instagram accounts.
The situation appears to be more serious than initially thought, 6 million Instagram users, including sports and pop stars, politicians, and media companies, were affected.
Now their Instagram profile information, including email addresses and phone numbers, are available for sale on a website called Doxagram.
Experts believe Doxagram was created by the same Instagram hacker, the website allows anyone searching for stolen information only for $10 per account.
According to THN, a researcher at Kaspersky Labs also found the same vulnerability in the Instagram’s mobile API and reported it to Instagram.
The flaw affects the Instagram code since 2016, according to Kaspersky Lab researchers, it is likely the attackers exploited it manually.
The hacker initially provided a sample of 10,000 of stolen records, 9,911 of them include either a phone number or e-mail; 5,341 include a phone number, and 4,341 include a phone number and e-mail.
The flaw affected the password reset option that exposed mobile numbers and email addresses of the users in the JSON response, but not passwords.
To secure Instagram accounts, users are highly recommended to enable two-factor authentication on their accounts and always secure them with a robust and different password.
Be vigilant about possible phishing attacks, avoid clicking on suspicious links and attachments you receive in an email and never provide your data to unverified interlocutors.