Instagram breach results in up to 6 million users' phones and email adresses being sold for 10 bucks a pop
If you've been on the internet in the past, say, five years or so, you've undoubtedly at some point been the target of a request to enable two-factor authentication for some online service. And while giving away your phone number to a random corporation doesn't sound like the best idea ever, this is one of the best ways to protect your accounts against unauthorized third parties.
But it seems that even a huge tech giant like Facebook has a bit of a trouble with not just giving away users' private info — a report from Variety has just highlighted how hackers have been exploiting Instagram's password recovery to steal and sell off users' private information, including email addresses and — if they had 2FA enabled — their phone numbers.
But while high-profile hacks are a dime a dozen these days, what's staggering here is how easily the information was obtained: in essence, sending a password reset request from an old version of the Instagram app resulted in a response containing an account's private data (sans password, thankfully).
Instagram claims to have already patched the bug, and has also notified all holders of verified accounts (celebrities were initially thought to be the primary target of the attack). Not that this would be of any help against a leaked phone number, of course.
However, the number of affected accounts seems to be quite a bit larger than initially claimed: Ars Technica reports that they were contacted by the owner of a website selling access to a searchable database of 6 million breached Instagram accounts. To prove that, they sent a "sample" containing 10,000 accounts, which Ars claims to be legitimate. The kicker? The website is publicly available, and can be accessed for $10 per search.
The latest official Instagram user count says there are about 700 million registered accounts, so the chances of your account being a part of this alleged 6 million figure are about 0.56%. So this is a pretty tiny hack when compared with 2013's Adobe breach (150 million accounts), or the two Yahoo hacks from last year (1.5 billion). Regardless, it's advisable to check up on Have I been pwned? every once in a while just to be on the safe side.