Instagram desktop site bug allowed access to private data of million users

“The Instagram bug was discovered in February this year and has been patched since” 

A recent report had surfaced online which stated that an India-based social media marketing company had been keeping a database of millions of Instagram users. This database was left unsecured and contained contact information of influencers, celebrities, and accounts of brands. The company in question, Chtrbox, stated that it was doing this ethically and that the information being circulated online was incorrect. However, a new report is now stating that a bug on Instagram’s website was leaking information for at least four months. 

David Stier, a data scientist and business consultant, discovered the bug earlier this year and notified Instagram. According to his findings, the source code of some Instagram user profiles were showing data such as contact information. This was happening only when Instagram was loaded on a desktop browser. Stier believes that this is how the Indian company was able to scrape data of users from the photo-sharing app. Scraping data from a website is fairly easy and a lot of people do this.


The first reports of the data leak stated that information of about 49 million Instagram users and brands were collected in the database. This unsecured database was stored on Amazon Web Services server and was openly available for about 72 hours. Once the company found that the database had leaked, it immediately found the source and stopped it. According to Chtrbox, about 350,000 users’ information was leaked and all of them were collected with consent.

Instagram stated that it is still investigating this database leak. It was also looking at how the Indian company managed to get its hands on such a database. This shows that nothing is really safe on the internet. All your data and information could be hacked. David Stier stated that this Instagram source code bug was present since at least October last year. He discovered it in February this year and Instagram fixed the issue in March. That gave hackers and other users about four months time to collect information, including email addresses and phone numbers, from an unknown number of Instagram users.