Security News

Millions of Instagram Users Have Their Data Scraped by a Sanctioned Partner of the Social Media Giant

The data of millions of Instagram users has been scraped by one of the social media giant's officially sanctioned business partners, according to a report in Business Insider.

Business Insider refers to what happened as a "combination of configuration errors and lax oversight by Instagram", which saw marketing company Hyp3r "create detailed records of users' physical whereabouts, personal bios, and photos" courtesy of a tool that could geofence locations and gather public posts on Instagram that were tagged with that location. Hyp3r also stored this information indefinitely, whereas it was meant to disappear after 24 hours.

The amount of data gathered by Hyp3r is unknown. However, the company has said it has "a unique dataset of hundreds of millions of the highest value consumers in the world." Sources said more than of 90% of Hyp3r's data came from Instagram and it ingests more than one million (Instagram) posts a month.

Instagram reacted swiftly and stopped HYP3R's actions on August 7 with a cease-and-desist letter.

"HYP3R's actions were not sanctioned and violate our policies. As a result, we've removed them from our platform. We've also made a product change that should help prevent other companies from scraping public location pages in this way," said Facebook, owner of Instagram, via a statement.

The ease with which Hyp3r obtained the data has raised questions, with one former Hyp3r employee commenting: "For (Instagram) to leave these endpoints open and let people get to this in a back channel sort of way, I thought was kind of hypocritical. It takes very little effort for Instagram to protect the location data accessed by Hyp3r. Why they haven't done it remains a mystery."

This is the second instance of Instagram user data being compromised in several months, after nearly 50 million Instagram influencers, celebrities and brand accounts were found online, stored in an unguarded database, in May.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.

Receive alerts for vulnerabilities, zero-days, security news and more

Try our FREE 14-day trial. See an example email

Example email for SecAlerts