Last week, hackers took over actress Selena Gomez’s Instagram account, which has over 125 million followers, and posted nude photos of Justin Bieber. Shortly thereafter, it became known that hackers exploited a vulnerability in Instagram that allowed them to obtain the personal details of millions of Instagram users, including celebrities. The hackers also allegedly harvested details from the Instagram account for the President of the United States, which is run by the White House social media team.
On Wednesday, Instagram patched the “mobile API bug in password reset.” That was too little, too late for some Instagram users whose personal details were later being sold by hackers on Doxagram. The hacker who provided Ars Technica with a sample of the data, said his automated attack could steal about 1 million accounts per hour. It was 12 hours before Instagram patched the flaw.
On Friday, Instagram apologized and said the flaw “could be used to access some people’s email address and phone number even if they were not public.” Law enforcement was involved, and the company believed the bug had been used on “a low percentage of Instagram accounts.”
By then, some Instagram users personal details were being sold by hackers on Doxagram. The searchable database Doxagram, which purportedly contained details on 6 million of Instagram’s 700 million users, didn’t stay online very long after it launched on Thursday. Doxagram moved to a different domain, but it was taken down again on Friday.
Fighting back, Instagram “purchased at least 280 domains” with the hope of limiting the number of potential Doxagram domains the hackers might try to buy. But that likely won’t be very effective. As The Daily Beast pointed out, there are over 1,500 types of domains. And now, the hackers have a Doxagram site on the normal web as well as on the dark web accessible over the Tor network.
The folks behind Doxagram, who claim to be from Russia, are selling the phone numbers and email addresses of celebrities, high-profile politicians and athletes. The service, they claim, is “100% legal.”
Doxagram allegedly has personal details from most of 50 most-followed Instagram accounts. The hackers told The Daily Beast they originally set up their scraper to target Instagram accounts that have more than 1 million followers, but they later harvested details from other users as well.
The full database is allegedly only available to people who spend at least $5,000 on their website. However, anyone can buy the phone number and/or email address of more than 6 million celebrities and other high-profile users for $10 worth of bitcoin per record. Discounts have been offered for bulk purchases.
It’s worth noting that the attackers claim to have “the full Instagram database (200M+ users) unlike Facebook is claiming, but we only sell information from that data to top customers ($5,000+ spent in shop) and only via XMPP/Jabber.”
Instagram, “out of an abundance of caution,” urged users to keep an eye out for “suspicious activity such as unrecognized incoming calls, texts, or emails” and to report any problems.
Ironically, the Doxagram Twitter account sent out a remind for users of its service to use strong passwords and keep their login information safe.
Please keep your login information safe. Use a strong password. We can’t do anything if your credit gets used by someone else.
— DoxAGram (@doxagram_insta) September 5, 2017