A massive database containing the contact information of millions of Instagram influencers, celebrities, and brand accounts has been exposed online. The database, hosted by Amazon Web Services, was left without a password allowing anyone to look inside. It is thought that the database has over 49 million records. Discovered by Security researcher Anurag Sen and reported by TechCrunch, their article says “From a brief review of the data, each record contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified and their location by city and country, but also contained their private contact information, such as the Instagram account owner’s email address and phone number.”
Here is what industry experts are saying about this incident.
Laurence Pitt, Strategic Security Director, Juniper Networks:
“Over the last six months, there have been many stories in the news where public cloud databases are being left without strong passwords and exposed for anyone to access. There’s documentation on how to do this and even tools such as GrayHatWarfare that help people! In essence, anyone with a small amount of know-how can find open databases, and with enough people looking it’s only a matter of time before a database with sensitive information is discovered. Something I do wonder is that with all the stories that we hear about discovered databases, and knowing that there are about 45 MILLION open databases out there, how many databases get discovered and immediately sold on in secret to someone on the DarkNet?
With all the education for end-users about how strong passwords, biometrics and MFA are the way to protect ourselves, isn’t it about time that more organizations holding our data stepped up in the same way?”
Colin Little, Senior Threat Analyst, Centripetal Networks:
“This event confirms just how much like a toothpaste our own data is: once it’s out of the tube, it’s out and is never going back in. Phone numbers, email addresses, and other PII can be legally bought and sold and the only opportunity we have to consent to this act is to read the fine print or abstain from using the service; it can also be illegally acquired by criminals because the database within which they reside is improperly secured. In almost any other venue in the world, when I use the service of a business such as a mechanic, that mechanic is solely responsible for the quality and security of the product. I don’t have to see if VIP has checked a national muffler repair chain’s labor standard, and then find out that the chain contracts labor out to countless third parties. This is the risk of using online services, or even registering for an account: that this PII will be sold to third parties without my knowledge and without truly informed consent.”
Colin Bastable, CEO of Lucy Security:
“Facebook, which owns Instagram, said it was looking into the matter.
Alternatively, as the old gag goes – “Facebook has been advised of yet another security hole. Mark Zuckerberg is looking into it.”
Of course, it is no joke for the 49 million influencers, but anyone who entrusts their data to any part of the Facebook business must expect it to have a resale value.”
Kevin Gosschalk, CEO and co-founder, Arkose Labs:
“Influencers, celebrities, and brands carry a lot of clout on social media with their ability to impact their followers’ sentiments and actions. The recent exposure of records containing the private contact information for more than 49 million accounts, including Instagram influencers and celebrities, is a timely reminder of the deep responsibility a company has to protect the mass amount of data that it collects. It also represents yet another instance of a company failing to even use a password, which is a shocking phenomenon because it is the most basic form of security. Time is up – companies need to be proactively protecting their attack surface, especially online databases containing valuable customer records, to protect their digital ecosystems against damaging cyber attacks.”
Ameya Talwalkar, Co-founder and CPO, Cequence Security:
Very often, we find that some database accessible storing private, sensitive data in the application layer is accessible over the internet. In most cases, there is no inherent security built into these databases. That is because they are meant to be accessed by other services and applications in the application tier – post authentication.
There is a notion of explicit trust between the services/applications using these databases. In cases where these databases have some security/authentication support, it is usually not turned ON, in order to serve queries as fast as possible, based on the explicit trust model. As these application tiers are changing very rapidly due to fast dev-ops cycles, there is frequent change happening in that application tier. In some instances, these changes leave sensitive databases wide open for access from the public internet. These unintended exposures are due to errors in firewall policies, moving of security zones, moving of workloads and load balancing. Unfortunately, enterprises don’t discover such errors until after such a breach is widely reported on by media, and a lot of damage to users and to the brand has already resulted.
There have been are similar breaches in the past, such as the high profile one involving the USPS – httpshttps://techcrunch.com/2018/11/26/the-us-postal-service-exposed-data-of-60-million-users/://techcrunch.com/2018/11/26/the-us-postal-service-exposed-data-of-60-million-users/
How is this happening? The attackers are constantly scanning open/accessible servers/services on the internet. They are getting more focused on services that are hosted in the Public/Private cloud environments, where they know environments change frequently, which leads to a higher probability of errors in security policies. When they discover such sensitive databases, they go after scraping as much data they can from them. That’s what happened to USPS in the past and to Instagram influencers today.
Here are issues that enterprises need to solve:
- An application tier visibility and lockdown mechanism.
- Scanning of their own application tier through tools similar to the ones that hackers are using.
- Regular review of security policies, Firewall rules, workload zones, etc., both for themselves and for third parties.
Robert Prigge, President, Jumio:
“Another data breach. Surprise, surprise. More of our personal information is seeping into the Dark Web on a daily basis making it easier and easier for fraudsters to perpetrate identity theft and account takeovers. That’s why modern businesses should have ZERO confidence that the person purporting to be John Smith on 123 Main Street is actually the real John Smith on 123 Main Street if he’s creating a new online account. What’s more insidious is if you have a current user — also named John Smith — how confident are you really that the John Smith logging into their online account is actually John Smith, especially given that his username and password can be purchased off the Dark Web for pennies. Online trust should have been completely evaporated by now. Each data breach is another chink in the wall and another data point why we should be running and screaming away from password-protected systems.”