At first glance, the Instagram security bug that was exploited to obtain celebrities’ phone numbers and e-mail addresses appeared to be limited, possibly to a small number of celebrity accounts. Now a database of 10,000 credentials published online Thursday night suggests the breach is much bigger.
The database was provided by someone who e-mailed in response to Thursday’s story, mentioned above, about the Instagram breach. The sender said he was able to scrape personal data belonging to 6 million users and was selling the data in a searchable website for $10 per query. The person provided a sample of 10,000 of those records.
While Instagram has yet to confirm the authenticity of the sample, an analysis by Ars and security researcher Troy Hunt, maintainer of the Have I been Pwnd breach notification service, all but concludes it’s legitimate. To protect potentially affected end users, Ars isn’t publishing the sites hosting the sale of the purported 6 million records or the sample, which was freely available when this post was going live.
Read 6 remaining paragraphs | Comments
Source: Ars Technica – Site sells Instagram users’ phone and e-mail details, a search