Technology website TechCrunch on Monday reported that it had traced a massive database of contact information of millions of Instagram influencers, celebrities and brands, which was left exposed and without a password, to Mumbai-based social media marketing firm Chtrbox.
The database had more than 49 million records at the time the website published the report. The website said security researcher Anurag Sen had alerted it after discovering the database so that the owner could be alerted about the breach.
According to the website, the files contained public data scraped from the accounts, including the users’ bio, profile picture, the number of their followers, their location by city and country, and their private contact information such as email addresses and phone numbers.
Instagram told the BBC on Tuesday it was trying to find out where the data had come from. “We are looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources,” it said in a statement. “We are also inquiring with Chtrbox to understand where this data came from and how it became publicly available.”
Chtrbox reportedly pays influencers – users with a big audience, who can persuade their users to act on their recommendations – to post sponsored content on their accounts. Each record in the database contained details of the worth of each account that was calculated using the number of followers, engagement, reach, likes and shares. This was used to determine how much the company could pay an influencer or celebrity to post an advertisement, TechCrunch reported.
The website contacted at random several people whose details were on the database. Two people confirmed their email address and phone number found in the database was used to set up their Instagram accounts. However, they denied any involvement with the Mumbai-based company.
Chtrbox took the database offline after TechCrunch contacted it. The company’s founder and Chief Executive Officer Pranay Swarup did not answer questions about how the company obtained private Instagram account email addresses and phone numbers.