An Instagram application programming interface (API) glitch enabled cybercriminals to expose the email addresses and phone numbers of several "high-profile" users, a company spokesperson told Variety. The disclosure comes after the Instagram account for Selena Gomez – the most-followed celebrity on Instagram – was hacked earlier this week.
Hackers were able to use the API glitch to obtain a set of code that contained the email addresses and phone numbers of targeted user accounts, according to Instagram. However, no account passwords were exposed due to the glitch, and the bug has been corrected, Instagram stated.
Instagram has notified verified account holders about the API glitch and is encouraging users "to be vigilant about the security of their and exercise caution if they encounter any suspicious activity."
Website Sells Instagram Users' Contact Information
A database of 10,000 Instagram users' credentials is now available via a searchable website, Ars Technica reported. The unnamed site allegedly charges $10 per Instagram search query and provides users' email addresses, phone numbers and other contact information.
Instagram is investigating the site, and security researcher Troy Hunt said he believes that the site's claims may be true.
"My conclusion: there's nothing in here to disprove the data. It's 'possible' it has been scraped together from other sources, but every indication is that it's legitimate," Hunt told Ars Technica.
Kaspersky Lab Discovers Facebook Messenger Malware
In addition to Instagram, cybercriminals are using Facebook Messenger to launch attacks against social media users.
Antivirus solutions provider Kaspersky Lab last week discovered multi-platform malware spreading via Facebook Messenger that used "tons of domains to prevent tracking and clicks," the company said in a prepared statement.
With the malware attack, hackers leveraged social engineering to trick Facebook Messenger users into clicking on a message link that would take them to a Google doc, Kaspersky stated. Then, the document provided a dynamic landing page that looked like a playable movie. When a user clicked on the fake playable movie, the malware redirected the user to a set of websites that tracked the user's browser, operating system and other information.
"By doing this, it basically moves your browser through a set of websites and, using tracking cookies, monitors your activity, displays certain ads for you and even, in some cases, social engineers you to click on links," Kaspersky indicated.
To combat the malware, Facebook Messenger users should try to avoid clicking on any potentially malicious links and keep their antivirus software up to date, Kaspersky recommended.