6 Million Celebrities Instagram High-Profiles Data available for sale on DoxaGram

Doxagram website claims to be selling the email addresses and phone numbers of 6M High-Profiles Instagram accounts ranging from POTUS to Taylor Swift.

The story began with the hack of the Selena Gomez Instagram account, a hacker hijacked it and published three nude photos of Justin Bieber.

A few days later, it was reported a vulnerability in the Instagram application that allowed hackers to access information for high-profile users including phone numbers and email addresses.

Stolen data could be used by hackers to target victims with social engineering attack aimed to access their accounts and leak their video and photos.

The vulnerability affects the Instagram application programming interface (API) that is used to interact with other apps.

The company confirmed it is investigating a data breach, an unknown hacker has stolen personal details of more than 6 million Instagram accounts.

The situation appears to be more serious than initially thought, 6 million Instagram users, including sports and pop stars, politicians, and media companies, were affected.

Now their Instagram profile information, including email addresses and phone numbers, are available for sale on a website called Doxagram.

Experts believe Doxagram was created by the same Instagram hacker, the website allows anyone searching for stolen information only for $10 per account.

According to THN, a researcher at Kaspersky Labs also found the same vulnerability in the Instagram’s mobile API and reported it to Instagram.

The flaw affects the Instagram code since 2016, according to Kaspersky Lab researchers, it is likely the attackers exploited it manually.

“So far we’ve had 12 deposits totaling around $500,” Doxagram operator told Ars early Friday morning, about six hours after the service went live. “Not a horrible start.”

The hacker initially provided a sample of 10,000 of stolen records, 9,911 of them include either a phone number or e-mail; 5,341 include a phone number, and 4,341 include a phone number and e-mail.

The flaw affected the password reset option that exposed mobile numbers and email addresses of the users in the JSON response, but not passwords.

To secure Instagram accounts, users are highly recommended to enable two-factor authentication on their accounts and always secure them with a robust and different password.

Be vigilant about possible phishing attacks, avoid clicking on suspicious links and attachments you receive in an email and never provide your data to unverified interlocutors.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Doxagram, Instagram)

[adrotate banner=”12″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.