News

Millions of Instagram Users Have Their Data Scraped by a Sanctioned Partner of the Social Media Giant

Giulio Saggin
Giulio Saggin
Tuesday, 28 November 2023

The data of millions of Instagram users has been scraped by one of the social media giant's officially sanctioned business partners, according to a report in Business Insider.

Business Insider refers to what happened as a "combination of configuration errors and lax oversight by Instagram", which saw marketing company Hyp3r "create detailed records of users' physical whereabouts, personal bios, and photos" courtesy of a tool that could geofence locations and gather public posts on Instagram that were tagged with that location. Hyp3r also stored this information indefinitely, whereas it was meant to disappear after 24 hours.

The amount of data gathered by Hyp3r is unknown. However, the company has said it has "a unique dataset of hundreds of millions of the highest value consumers in the world." Sources said more than of 90% of Hyp3r's data came from Instagram and it ingests more than one million (Instagram) posts a month.

Instagram reacted swiftly and stopped HYP3R's actions on August 7 with a cease-and-desist letter.

"HYP3R's actions were not sanctioned and violate our policies. As a result, we've removed them from our platform. We've also made a product change that should help prevent other companies from scraping public location pages in this way," said Facebook, owner of Instagram, via a statement.

The ease with which Hyp3r obtained the data has raised questions, with one former Hyp3r employee commenting: "For (Instagram) to leave these endpoints open and let people get to this in a back channel sort of way, I thought was kind of hypocritical. It takes very little effort for Instagram to protect the location data accessed by Hyp3r. Why they haven't done it remains a mystery."

This is the second instance of Instagram user data being compromised in several months, after nearly 50 million Instagram influencers, celebrities and brand accounts were found online, stored in an unguarded database, in May.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203