Instagram was claimed to have had data from 489 million individuals, or nearly a quarter of its total users, exfiltrated and exposed by a threat actor on a hacking forum, reports Cybernews.
More than 100 records shared by the hacker revealed the scraping of usernames, names, email addresses, biographies, follower and following counts, external URLs, and locations, as well as targeted usernames, user IDs and scrape IDs, account creation dates, and account categories. Despite the apparent authenticity of the leaked Instagram profiles the presence of email addresses not seen in previous breaches has raised questions regarding the breach's legitimacy, with a Cybernews researcher noting that user email addresses should not be exposed by public APIs unless they could be accessed in normal app use. "If the threat actor is to be believed, and they obtained the data by scraping a public API, it means that either a private Instagram API was exposed to the public or that their public API is vulnerable to Broken Object Property Level Authorization," said the researcher. Instagram parent company Meta has previously touted efforts to mitigate data scraping through its External Data Misuse team.