Last week Instagram revealed in a blog post that they’d discovered a bug that allowed access to the contact information of, what they described to be, “a low percentage of Instagram accounts.” Although Instagram didn’t reveal the number of accounts affected, it’s reported that an unknown hacker stole the personal details of up to six million Instagram accounts. Which is a huge number in itself, but I guess it is a ‘low percentage’ of 700 million daily active users.
The bug, according to a researcher at Kaspersky Lab, was within Instagram’s mobile API. When a password reset request was made, the JSON response from the Instagram API accidentally exposed mobile numbers and email addresses. Instagram state that “no passwords or other activity was revealed.”
Before it was patched, the bug allowed the hackers to scrape Instagram for contact details, including those of some of the most-followed and high-profile accounts. Hackers then made these exposed contact details available on a public database, known as ‘Doxagram’.
What’s a Doxagram?
Doxagram, for the price of $10 paid in Bitcoin, allowed users to search for the contact details of an Instagram account. Because no passwords or other information was revealed, this contact information by itself didn’t allow hackers (or searchers) access to any of the accounts. But when used in tandem with social engineering techniques, and other personal information – easily obtainable about very public figures – hackers could have gained access to many influential accounts on the platform, including actors, politicians, sports stars and media companies. And six-million-or-so others.
Originally, the database was hosted on a .com domain, and later moved to .ws, but both of these websites were taken down, either by Instagram or the company controlling the domain. Since then, Instagram has fought back against the hackers by registering a bunch of ‘doxagram’ domain names with different extensions.
A who.is lookup for ‘doxagram.co’ reveals Instagram’s own domain contact information for their Silicon Valley HQ: ‘Instagram LLC, 1601 Willow Road, Menlo Park, California’. It’s predicted that Instagram, and their parent company Facebook, registered up to 250 different variations of the Doxagram domain name, from .net to .ninja, in an attempt to cut off the hacker’s network of circulation. Although, as there are over 1500 possible extensions, Instagram has only cut off a sixth of the available Doxagram domains, ignoring any variants on the spelling.
Since the fightback, however, Doxagram has moved to .onion domains on the dark web where there is less that Instagram can do to fight them.
Although Instagram seems to have kept Doxagram off the public web (for now, at least), the danger is still present for users whose details were leaked. As described, accounts could be recovered without the need for a password, so Instagram suggests all users secure their accounts with two-factor authentication as well. On top of recovered accounts, there is the threat of harassment. As leaked phone numbers and email addresses could lead to targeting and aggravation in the form of phishing emails and unsolicited messages.
What can you do?
Any Instagram users worried that their details have been leaked should check breach-checker websites like https://haveibeenpwned.com, and take adequate security measures. Website owners worried about the risks of someone impersonating their site should consider following Instagram’s approach by registering similar domains, and protecting contact details with domain privacy.