There’s been a giant breach of Instagram users’ contact information, as Ars Technica previously reported. It happened through a bug in the Instagram app, and the harvesters of the data claim to have information about a six million Instagram users.
The hackers have set up a site where users can go and search for accounts. If they find an account that interests them in the database, they can get access to it for $10 in bitcoin.
We’re intentionally not linking to the site here, but it’s not hard to find after a bit of searching. We know a lot of people will be curious and want to go. Be careful.
We looked so you don’t have to. To enter the site, users need to create an account. Think about this. You’re about to create an account on a website maintained by cybercriminals. You should definitely assume that the email and password that you enter into that account will be viewable in plain text by the people who built it. They do not care about your security.. Don’t become their next victim.
- Don’t use a password that works on another account. In fact, use a terrible password, so it provides no clues about you.
- Don’t give them a real email address (we didn’t need to confirm our email before we could enter, so you probably won’t either).
- There’s not much point in getting the celebrity’s email or phone number as you can all but guarantee that those are getting changed right now (and it’s probably a crime).
It remains to be seen if the hackers got more than just contact information; based on what’s known from reporting so far, they may not have.
On a forum where the hackers have promoted their service (again, intentionally not linking), they claim to have access to “any” account. This does not appear to be true or even close to true. We searched for many different kinds of accounts, from normal people to those with a large but not huge following. We were able to easily find lots of accounts that aren’t in there. It looks like whoever did this targeted the most popular accounts first and worked their way down.
At 700 million users, six million is still less than one percent. Still, it’s probably the most influential one percent. Every celebrity to semi-celebrity we looked for was in there.
That said, we’re all better off if no one patronizes this “service” and encourages more of this behavior. Also remember that just entering a stolen password into a website is a crime, so anyone who buys one of these stolen records is almost certainly breaking the law in a serious way. Think twice.
Patronizing a site like this gives criminals an incentive to come after you next.