Engineers at Instagram have revealed that hackers managed to gain access to the contact numbers and email addresses (but not passwords) of some of Instagram’s users via a bug in the app’s API (Application Programming Interface) used to communicate with other apps. After obtaining the information, the hackers tried to sell the information on a searchable database called Doxagram, which listed 1,000 accounts and charged users $10 for each search for Instagram users’ contact information. It appears the breach was initially discovered after celebrity Selena Gomez’s account was hacked last week. At first, it looked like just high-profile users were affected, but it has since become clear that the issue is more widespread.

Instagram says it does not know exactly how many of its 700 million monthly users may have had their personal details stolen or accounts hacked; however, the hackers claim they have details on as many as six million users. “We quickly fixed the bug, and have been working with law enforcement on the matter,” said Instagram co-founder Mike Krieger. Instagram has also offered its official advice on what to do if your account has been affected (see here). Instagram advised users to exercise additional caution if they receive any calls or emails from unknown or suspicious sources. “Additionally, we’re encouraging you to report any unusual activity through our reporting tools,” Instagram said. “You can access those tools by tapping the “…” menu from your profile, selecting ‘Report a Problem’ and then ‘Spam or Abuse.'” It also suggests users turn on two-factor authentication on their accounts for added protection. We encourage you to be vigilant about the security of your account and be on alert for any suspicious activity.

More information about the Instagram breach can be found in the article, “Instagram Warns Hack More Widespread Than Expected,” published by Data Breach Today.

Check out our series, Privacy Perils, to learn what steps you can take to guard your personal and company data. For more information about this topic and other cyber security concerns, please contact a member of our Privacy & Data Security team.