Almost 500 million Instagram users had their data scraped, hackers claim


If the threat actor is telling the truth, data from a quarter of all Instagram users is available on a cybercriminal forum.

On November 10th, a threat actor listed a dataset for sale on a notorious hacker forum, claiming it consists of records of 489 million Instagram users. Instagram has over two billion monthly active users, which means that if proven correct, the incident affects a quarter of all users.

instagram data scraped
Scraped data sample. Source: Cybernews
ADVERTISEMENT

The hacker shared a sample of over 100 records, giving a preview of the information they claim to have acquired. The scraped data includes both public and private information, such as:

  • Username
  • Name
  • Email address
  • Biography
  • External URL
  • Follower and following counts
  • Location
  • Account creation date
  • Account category (e.g., business, influencer)
  • Targeted username for the scrape
  • User ID and scrape ID

While the threat actor claims the data is “freshly scraped,” the validity of data shared on hacker forums is always questionable. According to Cybernews researchers, the Instagram profiles shared in the data sample seem authentic.

However, email addresses in the dataset sample were not present in the datasets compiled from previous breaches. This could mean that either the data is new or it could be a sign that the data is fake.

“Public APIs should not expose such information as user email addresses if they are not also openly and publicly accessible when using the service normally,” said a Cybernews researcher.

“If the threat actor is to be believed, and they obtained the data by scraping a public API, it means that either a private Instagram API was exposed to the public or that their public API is vulnerable to Broken Object Property Level Authorization.”

If the data proves real, users could be at heightened risk of impersonation and social engineering attacks. With such data, threat actors could craft convincing messages to extract more information or make users click on malicious links.

Business accounts and users with many followers might be exploited for brand impersonation or other types of fraud.

ADVERTISEMENT

Cybernews has contacted Instagram’s parent company, Meta, for a comment, but a response has yet to be received.

While data scraping is in a legal gray area, according to Meta’s policies, using automation to get data without the company's permission violates its terms.

Meta's website claims to have a dedicated External Data Misuse (EDM) team focused on detecting and deterring scraping.

The team is also said to be working to prevent scraped datasets from being shared on online forums by engaging with threat intelligence researchers and working with responsible hosting vendors to take them offline.