Three days after the pop singer and actress Selena Gomez’s Instagram account was briefly taken down for posting nude pictures of fellow pop star Justin Bieber, Instagram has revealed that one or more hackers have been stealing celebrities’ e-mail addresses, phone numbers, and other personal information by exploiting a bug on company’s servers.
Researchers from Kaspersky Lab said they recently spotted malicious elements in an underground forum advertising unnamed celebrities’ personal details. Kaspersky Lab representative said their researchers also privately reported the bug to Instagram.
According to the researchers, exploiting the bug was “quite labor intensive” because rather than using an automated script, each attack had to be done manually to bypass mathematical calculations Instagram performs to prevent such attempts.
A representative from Instagram said the exploited flaw resided in the platform’s programming interface. The officials wrote in an official statement:
“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information—specifically email address and phone number — by exploiting a bug in an Instagram API. No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.”
“Our main concern is for the safety and security of our community. At this point, we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue. As always, we encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts, and e-mails.”
After the Selena Gomez account was compromised, Variety claimed the mishap was the result of Gomez’s account being hacked. But neither Instagram nor Kaspersky Lab said account takeover had any connection to the exploited bug or the attacks exposed passwords.
Such events provide yet another reminder that it’s a good idea for users to enable two-factor authentication to better protect their accounts against such attacks.