Hackers are claiming to have obtained the personal details of as many as six million Instagram users, including those of celebrities including Emma Watson, Leonardo Di Caprio and David Beckham.
The cyber-criminals are believed to have exploited a bug in the popular photo service’s mobile API which exposed email addresses, phone and other profile information.
Although that vulnerability has now been patched, the hackers still have the stolen info and reportedly launched a look-up service – Doxagram – where users can search a database of over six million users for $10 per search.
That’s significantly more than at first thought, and could include the details of regular as well as celebrity 'verified status' users.
However, Doxagram was down at the time of writing, and reports have emerged that Instagram has been registering similar domains, presumably to prevent its admins from switching it to a new location.
Instagram co-founder and CTO, Mike Krieger, confirmed the incident on Friday, claiming that no passwords were taken in the online raid and urging users be on the lookout for follow-on phishing and vishing attempts.
“We quickly fixed the bug, and have been working with law enforcement on the matter,” he added. “Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.”
UK-based cybersecurity vendor RepKnight, claimed to have identified 500 celebrities whose details were stolen in the attack, including Emilia Clark, Harry Styles, Taylor Swift, Adele, Beyoncé and Ronaldinho.
“The attack just goes to show the growing threat of the dark web. If you’ve been hacked and someone’s posted your contact details on a site that Google cannot reach, you’re highly unlikely to ever understand the severity of that hack,” it said.
“Everyone is at risk of the dark web these days — not just A-list celebrities.”