As many as six million Instagram users could have had their email addresses and phone numbers leaked in a recent data breach.
Instagram acknowledged the hack but has yet to disclose how many people were affected.
So what’s the takeaway for users?
“Until the company says more, Instagram users should entertain the possibility the numbers and email addresses associated with their accounts are now public,” writes Dan Goodin in this Ars Technica story about the breach, the details of which we talk more about at the end of this post, but first, if you use Instagram, you might be asking “So what should I do now?”
Steps Instagram Users Can Take to Protect Themselves
- Of course, the usual advice holds true: You should immediately change your password to something unique and strong.
- Enable two-factor authentication, which Instagram does offer.
- If you get an Instagram password reset email you didn’t request, don’t click on any links or respond. Instead, contact Instagram by selecting “Report a Problem” and then selecting “Spam or Abuse.”
- Update your Instagram App, if you haven’t already.
- Follow Instagram’s advice: “We encourage you to be vigilant about the security of your account, and exercise caution if you observe any suspicious activity such as unrecognized incoming calls, texts or emails,” Krieger said. “Additionally, we’re encouraging you to report any unusual activity through our reporting tools.”
- We also recommend you become a LibertyID member. If your personal information is compromised in a data breach, your risk of identity theft increases exponentially. Millions of Americans have their identity stolen every year, and they don’t know how to repair the damage. If you’re a LibertyID member and your identity is stolen, we will fix it. Sign up for an annual LibertyID subscription now and rest easy knowing our certified restoration specialists know just how to repair the damage.
More About the Breach
An unspecified number of email addresses and phone numbers were stolen when attackers exploited “a bug in the Instagram API,” according to an “Important security notice” Instagram sent out to some users last week.
At first, Instagram said only high-profile users’ contact information was compromised and that the bug responsible was fixed swiftly. But on Friday, Sept. 1, Instagram warned the hack affected more than just the high profile users, though they still claim they “believe it was a low percentage of Instagram accounts,” according to Instagram CTO Mike Krieger in a blog post.
Stolen account details are reportedly online, via a searchable darknet database dubbed Doxagram, which claims to have credentials of 6 million users up for sale, for $10 a pop, payable in Bitcoin.
Instagram, which is owned by Facebook, has reported 700 million active users per month.
As reported in this Information Security Media Group story, “British cybersecurity firm RepKnight reports that email addresses and phone numbers associated with hacked Instagram accounts – including for 500 celebrities – are now being offered for sale on darknet sites. But it’s unclear whether all of those credentials are legitimate, or if scammers might also be at work.”
The hacker responsible emailed a sample database of 10,000 records to Ars Technica and claimed he was able to scrape personal data belonging to 6 million users.
“Of the 10,000 records in the sample, 9,911 of them include either a phone number or e-mail; 5,341 include a phone number, and 4,341 include a phone number and email,” according to the Ars Technica story.
Instagram hasn’t confirmed the authenticity of the sample, though notable security researcher Troy Hunt looked at the sample and said: “every indication is that it’s legitimate.”
Why Are Cyber Criminals After Your Email Address?
There’s a number of reasons cyber criminals hack into databases and steal email addresses and other personal information. They might want to take over your email account and email your contacts with malware-laden spam, or mine personal information from your account they could use to steal your identity.
Skeptical about how this could happen? Is your email address connected to your bank and credit card accounts? What if you used the same password for your email that you do for your bank accounts? You’d be surprised at how many folks use the same password for every account, despite repeated warnings. There’s an amazing amount of information stored in most people’s inboxes — invoices, scanned ID’s, insurance information, tax forms, travel itineraries, all things that could be used for identity theft. The fact remains, we’re living a big part of our lives through our email now.
Hackers could also use the information they find in your email — like which businesses and organizations you regularly communicate with — to construct highly targeted phishing campaigns where they try to steal even more information from you.
If your identity was stolen, who would you call? Did you know it can take up to 200 hours for identity theft victims to repair the damage? Millions of Americans have their identity stolen every year, and they don’t know how to repair the damage. If you’re a LibertyID member and your identity is stolen, we will fix it. Our certified restoration specialists could save you hundreds of hours of work by placing fraud alerts, making all the necessary phone calls, filing the disputes and contacting government agencies, creditors, insurance companies and more. There’s no limit to the time or money we will spend to restore your identity to pre-event status
Have you been a victim of a data breach?
Image: Pixabay