Gordon Smith

Insta-Damn: Hackers Selling Six Million User Accounts

The selfishness of hackers knows no bounds; while they’re welcome to my banking details or my identity, I’m certainly drawing the line at my Instagram images. On this, I have no filter.


The Internet: it’s a dangerous thing, as your elderly relatives often tell you. Filled with the most strange of strangers and people dying to get a hold of your banking details, every time you log in you are asking for trouble. You may as well hang a sign outside your house saying, “steal from me.”

At least, as far as your Internet Explorer-equipped aunt is concerned.

Except, just this once, your aunt may be on the money.

A group of nefarious netizens known as “Doxagram” claims to have stolen the data of six million Instagram users, selling their details on the mysterious dark web. The details, which include email addresses and phone numbers, have been scalped from accounts as high-profile as the official President of the United States to large brands, and even your average, not-so-influential users.

The very personal details can be bought for the princely sum of $10 – via Bitcoin, the dark web’s preferred currency – through a searchable database that some experts are describing as the “biggest attack since the iCloud hack.”

While you may (quite understandably) be keen to see if you are indeed one of the six million people unfortunate enough to have been targeted, there is currently no publicly accessible way of checking. Indeed, the only way to know if you’re in the clear is to check the dark web database.

Instagram has emailed verified users – like brands and celebrities – who are at risk, but it appears that hackers have now reached even the most average of users. Security experts say that users should now be watching for unsolicited emails and calls from unknown numbers.

RepKnight cybersecurity analyst Patrick Martin told the Daily Mail that users “should take the same precautions as if it were published in the Sunday newspapers. Anyone can get hold of it, and it’ll probably end up being widely circulated for many years to come. Those affected by the breach will need to be extra wary of unsolicited emails and calls from unknown people – and will probably end up having to change their email addresses and phone numbers.”

With your details sold and the hackers having made a healthy profit, those dark web denizens will then likely target you with phishing attacks, Martin warns. “Your email address and phone number are significant attack vectors – it’s so easy for the bad guys to send a spoof email or text to the celebrities’ accountant, agent, or bank; or target you with a phishing attack.”

The nefarious hacking antics kicked off in a big way with celebrity Selena Gomez’s account seized and several full-frontal nude photos of her ex-boyfriend Justin Bieber being promptly posted.

The attack is believed to have been done via a bug in Instagram’s API, which has since been resolved.

Also on The Big Smoke

After technology website Ars Technica reported on the breach, it received an email from someone claiming to have collected the data, offering it for sale. A 10,000 entry sample of the database was attached, which the emailer alleges contains the data of six million users. Instagram itself has not confirmed the claims, but an analysis by Ars Technica and security researcher Troy Hunt – who maintains the “Have I been Pwned?” breach notification service – “all but concludes it is legitimate.”

The Daily Mail then found a Bitcoin discussion forum where a user by the name of “Doxagram” advertised the database, boasting that “we offer the only Instagram lookup service on the market” and that “we can pull information on ANY Instagram account for you instantly!”

In the 10,000 user sample, 9,911 of the records include either a phone number, email address, or both. Crosschecking the sample shows the usernames correspond to real Instagram users and the area codes match up when phone numbers and locations were listed.

The list of celebrities hit is vast, stretching across all range of genres and mediums. Lady Gaga, Beyoncé, Snoop Dogg, and the National Geographic’s official account are among the dauntingly long list. The Daily Beast was also sent a sample of a further thousand accounts, which it reports consists of many with millions of followers. Those users include politicians, sports stars, and media companies, along with those more ordinary.

“Instagram clearly hasn’t yet understood the full impact of this bug,” a “Doxagram” member told the Daily Beast.

In hopes of verifying the sample’s legitimacy, the publication tried to create new Instagram accounts with a random selection of the listed email addresses. Each and every email already belonged to an existing account. They also tested to see if the email addresses could have been sourced from somewhere else on the Internet and determined that the addresses were not publicly available and had to have been obtained from a private source.

These same email addresses have not previously been leaked in other attacks, the Daily Beast confirms. This means the “Doxagram” hackers could not have simply collected them from other publicized breaches.

The hackers claim that they initially wanted to target users with over one million followers and then opened up their criteria from there. When asked by the Daily Beast if they have any concerns about how the farmed data will be used, the hackers responded with an emphatic “not really.”

Instagram has warned users that the hackers used a bug in its system to access the highly followed accounts, but that the bug has already been resolved. “We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information – specifically email address and phone number – by exploiting a bug in an Instagram API. We fixed the bug swiftly and are running a thorough investigation. Our main concern is for the safety of our community and, out of an abundance of caution, we are reaching out to all verified accounts.”

The media platform stresses that, although they believe the hacking was targeted at high-profile users, they urge all users to be “extra vigilant” about the security of their account. “Exercise caution if you encounter any suspicious activity, such as unrecognized incoming calls, texts, and emails. To make your account more secure, ensure two-factor authentication is enabled and pick a strong, unique password and keep it safe.”

Despite the claimed bug fix, Martin believes it may be too little too late. “The database is also online on the dark web, where it’s almost impossible to get a site taken down. This data will probably be sold in bulk to multiple sources, and is likely to be shared online for many years to come.”

Can affected users at the very least expect swift justice for those involved? Maybe. It all depends on where the culprits are located.

“If it’s a 14-year-old hacker in a London bedroom, the National Crime Agency will probably be knocking on their door already,” explains Martin. “If it’s an experienced cybercriminal team in Russia or North Korea, they may never be caught. Based on what we’ve seen so far, the hackers don’t appear to be particularly sophisticated.”

As always in these kinds of situations, prevention is better than treatment. Keep your passwords well and truly secure and as far from plain English words as possible. A mixture of numbers, symbols, and letters of varying size is always best.

Better still, as Instagram advises, enable two-step verification, effectively making your account inaccessible without access to your mobile phone. Because once something’s on the Internet, chances are it’s never coming back.


Gordon Smith

Journalist by day, cunning linguist by night. A passion for politics, hypnotically involved in human rights. An Australian born with a Japanese tongue, hoping to hold the bigwigs in government to account.

Related posts