A bug in Instagram allowed hackers to obtain access to phone numbers and email addresses of high-profile user accounts, i.e. verified users, the company has revealed. The bug was part of Instagram’s application programming interface (API), which is used to communicate with other apps.
It might also help explain the hack of singer-actress Selena Gomez’s account from earlier this week, which was followed by nude pictures of her ex-boyfriend Justin Bieber from 2015. Gomez is the most-followed person on Instagram with over 125 million followers.
“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information – specifically email address and phone number — by exploiting a bug in an Instagram API,” Instagram said in a statement. “No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.”
Instagram has also contacted all its verified users and notified them of the possible leak of personal information. The company wouldn’t comment on which accounts had been compromised. Gomez’s Instagram account was broken into briefly on Monday, before the pop star regained access a few hours later, with help from the company.
“Our main concern is for the safety and security of our community,” Instagram added. “At this point we believe this effort was targeted at high-profile users. We encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognised incoming calls, texts and emails.”
For what it’s worth, Instagram does have support for two-factor authentication, though it remains unclear if the affected accounts had it enabled, or whether it was somehow bypassed by the hackers