A group of unknown hackers who earlier this week, exploited an Instagram bug and used it to get the phone numbers and email addresses of 6 Million Instagram account users are now selling those information on the DarkWeb.
A researcher from Kaspersky Labs found the same vulnerability and reported it to Instagram. According to the researcher, "the issue actually resided in the Instagram mobile API, specifically in the password reset option, which appranently exposed mobile numbers and emails addresses of the users in the JSON responses - but no passwords". the researcher told The Hackernews.
The hackers whose targets were Instagram verified accounts, Politicians, Media companies, Sport stars and of course, A-list celebrities such as Miley Cyrus, Emma Watson, Beyonce, Floyd Mayweather, Leonard Dicaprio etc. The hackers have all these trove of information for sale on a website called Doxagram, an Instagram lookup service where anyone can search for information of Instagram users at the rate of $10 per search query.
Doxagram, the website provided by the hackers did not last long as the authorities quickly brought it down but the hackers quickly moved the website to the DarkWeb. The DailyMail identified a user named "Doxagram" in a Bitcoin forum where he advertised the DarkWeb new Instagram lookup site for those interested in the stolen trove.
Instagram have admitted the security bug and is said to have patched the issues although they gave the number of affected accounts to be very low.
"Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts," Instagram CTO Mike Krieger wrote.
However, Instagram says it is working with the law enforcement authorities and promises a safer Instagram for users while emphasizing that users security has always been their utmost concern.