Hackers have found a major flaw in the Instagram system, allowing them to "harvest the emails and phone numbers of up to 500 celebrities."
The flaw was found in code that the company began using in 2016. According to Kaspersky Lab researchers, the hackers would have had to manually infiltrate the system, since "Instagram's protection prevented automated scraping."
Although the image-centric social media site patched the problem after being told about it last Tuesday, the contact information for hundreds of celebrities is now available on the darknet via a searchable database. According to CNet, security company RepKnight discovered the database.
The sellers have dubbed themselves Doxagram, which is a combination of Instagram and "doxxing," an internet term which means to dump private information online.
RepKnight found contact information for over 500 celebrities and sports stars, including boxer Floyd Mayweather, Miley Cyrus, Emma Watson, Beyonce, and others.
"While Instagram has now fixed the bug that led to the leak, the cat is out of the bag, and those affected will have to take extra care to maintain their privacy," RepKnight analyst Patrick Martin said.
Doxagram has taken credit for posting the contact information of close to 6 million users. On a bitcoin forum, they claimed to be "the only Instagram lookup service on the market" and could "pull data on any Instagram account."
"We take people's security very seriously and are working closely with law enforcement on this matter," Instagram said in a statement Friday. "We encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails." (That can be done by tapping the "..." menu in your profile and selecting "Report a Problem" and then "Spam or Abuse.")
Someone claiming to be Doxagram contacted ARS Technica on Friday, bragging that he had made $500 within six hours. On Wednesday, Instagram said the attack targeted "high profile" users with the blue checkmark verification.
Even so, some nonverified users have also been hacked. No passwords have been stolen, but users should change them just to be safe, and consider switching their profiles to private.
Doxagram claimed they stole information from approximately one million accounts in an hour.