Instagram — Data Breach

moderateAnti-PrivacyMar 21, 2019 → May 20, 2019Data Breach

Executive Summary

Security researcher Anurag Sen discovered an unprotected AWS database belonging to Mumbai-based influencer marketing firm Chtrbox, containing personal records of approximately 49 million Instagram users. The exposed data included contact information, profile details, location data, and a calculated 'worth' metric for each account. The database was taken offline after TechCrunch reported the exposure.

Post LinkedIn Reddit Email

third-party-sharing data-breach data-scraping

What Happened

On May 20, 2019, security researcher Anurag Sen discovered an unprotected AWS database belonging to Mumbai-based influencer marketing firm Chtrbox that contained over 49 million Instagram user records. The database was left exposed without password protection, allowing anyone to access it. The exposed data included both public information scraped from Instagram accounts and private contact information such as email addresses and phone numbers, along with calculated account worth metrics used to determine influencer payment rates.

Who Is Affected

Approximately 49 million Instagram users were affected, including influencers, celebrities, and brand accounts. TechCrunch confirmed with randomly contacted individuals that their email addresses and phone numbers used to set up Instagram accounts were in the database, even though these individuals had no relationship with Chtrbox. Chtrbox later disputed the scale, claiming only 350,000 influencers were affected, though this conflicts with independent verification.

Why It Matters

This breach exposed private contact information that Instagram users provide only to the platform, not to third-party marketing firms, raising questions about how Chtrbox obtained this data. The exposure lasted from at least May 14 to May 20, contradicting Chtrbox's claim of only 72 hours, meaning the data was accessible to anyone during this period. The incident demonstrates how third-party companies can aggregate and expose user data from social platforms without users' knowledge or consent.

What You Should Do

If you are an Instagram influencer or have a public Instagram account, consider changing the email address and phone number associated with your account if you receive unexpected contact or spam. Enable two-factor authentication on your Instagram account to add an extra layer of security. Be cautious of unsolicited sponsorship offers or phishing attempts that may reference information from this breach.

AI-Assisted

Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.

Sources

Related Events