Hackers are reportedly selling millions of Instagram users' personal contact details, including those of celebrities, via a searchable database named Doxagram at just $10 (£7.7) a search. Multiple media outlets and a security firm have reported that the affected celebrity users range from Emma Watson, Emilia Clarke and Taylor Swift to the POTUS, David Beckham and Indian cricket legend Sachin Tendulkar.
Earlier this week, Instagram disclosed that a bug in its API was exploited by hackers to obtain the phone numbers and email addresses of some of its "high-profile users". The popular Facebook-owned social media network said they quickly fixed the bug and have been working with law enforcement on the matter.
However, it appears that the breach affected more than just a few high-profile accounts. The hackers launched a website with a searchable database to sell the email addresses and phone numbers of six million users that were scraped before the glitch was fixed for just $10 per enquiry via Bitcoin, Ars Technica reports.
"So far we've had 12 deposits totalling around $500," the site operator told Ars on Friday (September 1) roughly six hours after website went live. "Not a horrible start."
The person also provided Ars with a sample of 10,000 of the alleged records that the site and security researcher Troy Hunt "all but concluded is legitimate". He also mentioned that he learned of Instagram's API flaw in an IRC (internet relay chat) discussion, saying other people have probably exploited the bug as well.
Instagram co-founder and CTO Mike Krieger said in a blog post: "Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts."
He noted that no passwords or other Instagram activity were revealed. "Protecting the community has been important at Instagram from day one, and we're constantly working to make Instagram a safer place. We are very sorry this happened."
The revelation comes after Selena Gomez's Instagram account was hacked and multiple nude photos of her ex-boyfriend Justin Bieber were posted.
The UK-based cybersecurity firm RepKnight found at least 500 A-list celebrities whose personal contact details have put up for sale on the dark web. The celebrities affected in the breach include Emma Watson, Emilia Clarke, Leonardo Di Caprio, Channing Tatum and Zac Efron.
Celebrity musicians whose contact details were also identified include Beyonce, Lady Gaga, Taylor Swift, Rihanna, Katy Perry, Ellie Goulding, Victoria Beckham, Adele, Ellie Goulding, Snoop Dogg and Britney Spears.
Sports figures whose accounts have been compromised include Floyd Mayweather, Zlatan Ibrahimovic, Neymar, Paul Pogba, Ronaldinho, David Beckham, Tendulkar and India's cricket captain Virat Kohli.
According to a list of 1,000 names sent to the Daily Beast, some of the political figures affected include the president of United States' official account as well as White House director of social media Dan Scavino.
"While Instagram has now fixed the bug that lead to the leak, the cat is out of the bag now, and those affected will have to take extra care to maintain their privacy," RepKnight cybersecurity analyst Patrick Martin wrote in a blog post. "As dark web specialists at RepKnight, we were able to track down the identities of some of those affected using our sophisticated monitoring tools.
"The attack just goes to show the growing threat of the dark web. If you've been hacked and someone's posted your contact details on a site that Google cannot reach, you're highly unlikely to ever understand the severity of that hack.
"Everyone is at risk of the dark web these days — not just A-list celebrities. At RepKnight we see thousands upon thousands of posts every day relating to corporate and consumer data appearing on the dark web for sale, with those affected none the wiser."
IBTimes UK has reached out to RepKnight for more details.