Instagram — Data Breach
Executive Summary
Business Insider revealed that Hyp3r, an official Instagram advertising partner, had been secretly scraping millions of users' location data, Stories, and profile information from Instagram for up to a year. Hyp3r built detailed location-based profiles of users without their knowledge or consent. Instagram revoked Hyp3r's access and sent a cease-and-desist letter, calling the scraping unauthorized.
What Happened
In August 2019, Business Insider revealed that Hyp3r, an official Instagram advertising partner, had been secretly scraping millions of users' location data, Stories, and profile information for up to a year. The company collected this data against Instagram's policies by exploiting Instagram's Location pages, which served up public account information to anyone who requested it. After being informed by Business Insider, Instagram confirmed the policy violations, revoked Hyp3r's platform access, and sent a cease-and-desist letter. Instagram also implemented a product change to prevent similar scraping of public location pages.
Who Is Affected
Millions of Instagram users who visited locations tracked by Hyp3r and had public accounts were affected by this unauthorized data collection. Hyp3r built detailed shadow profiles by combining users' exact locations, objects in their photos, types of places visited, and other demographic information without users' knowledge or consent. The scraping primarily targeted users who posted content associated with specific locations like events, concerts, or venues.
Why It Matters
This incident demonstrates how trusted advertising partners can violate platform policies for extended periods, raising questions about whether Instagram was ignorant of or complicit in the data collection that occurred for years. The case highlights the vulnerability of public social media data to systematic harvesting and profile-building beyond what users might expect. Hyp3r's business model adapted to circumvent API restrictions imposed in early 2018, showing that technical barriers alone may be insufficient to protect user privacy when companies are motivated to exploit workarounds.
What You Should Do
Instagram users concerned about location tracking should review their privacy settings and consider switching their accounts from public to private to limit who can see their posts and location data. Users should be cautious about tagging specific locations in their Stories and posts, especially at venues or events where third-party marketing companies may be collecting data. Information not available from current sources regarding specific tools or settings Instagram may have introduced in response to this incident.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.