One or more hackers have been stealing celebrities’ e-mail addresses, phone numbers, and other personal information by exploiting a bug on Instagram’s servers, the company said Thursday.
Researchers from antivirus provider Kaspersky Lab said they recently spotted hackers in an underground forum advertising unnamed celebrities’ personal details. In an e-mail, a Kaspersky Lab representative said the researchers privately reported a data-leaking bug to Instagram. The Kaspersky Lab researchers went on to say that exploiting the bug was “quite labor intensive” because each attack had to be done manually rather than using an automated script to bypass mathematical calculations Instagram performs to prevent abuse.
To exploit the bug, according to Kaspersky Lab, attackers used the outdated Instagram mobile app—specifically version 8.5.1, which was released last year—to select the password-reset option. To capture the request, the attackers sent it to a Web proxy rather than the real Instagram servers. The attackers then modified the captured request to substitute the username sent to the Web proxy with the username of targeted celebrities. The Instagram server would then send a JSON-formatted response that included the target’s personal information. While the hackers used the outdated app to exploit the bug, the attack worked against all Instagram users, regardless of the app version they used.
A representative from the Facebook-owned photo-sharing service, meanwhile, said the exploited flaw resided in an Instagram programming interface. The representative said Instagram officials know of at least one person who actively exploited the bug. In a statement, the officials wrote:
We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information—specifically email address and phone number—by exploiting a bug in an Instagram API. No…