Instagram admits API was hacked to compromise celebrity accounts.
Instagram admits API was hacked to compromise celebrity accounts.

Just two days after Selena Gomez's Instagram account was hacked to post leaked nude photos of Justin Bieber, the social media company confirmed it was hit by a cyberattack targeting several high profile celebrities.

“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users' contact information – specifically email address and phone number — by exploiting a bug in an Instagram API,” the social media company said in a statement to Variety.

The threat actors reportedly exploited a bug in the Instagram API which allowed them to obtain a set of code which may have contained the email addresses and phone numbers of the users of the targeted accounts.  

The Facebook-owned social media giant said it believes the attack was aimed at “high-profile users” and that it notified the owners of verified accounts and did not disclose which other accounts were compromised.

“Our main concern is for the safety and security of our community,” Instagram said. “As always, we encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails.”

Instagram recommends users use strong passwords, change passwords frequently and use two-factor authentication. Despite the breach, not all security professionals are showing sympathy for those that fell victim to the hack.

“Heaven knows they can afford advisors to provide them with these electronic tidbits,”  One Identity Senior Director of Marketing  Bill Evans told SC Media. “But most of all, they know they are targets for these types of breaches.”

Evans said celebrities shouldn't create these types of “personal” digital assets and that if they never exist, no one can steal them. He also expressed concerns about what kind of impact this breach will have on users of the platform.

“While I am not on Instagram, I understand that the masses tend to follow celebrities,” Evans said. “It will be interesting to see if these celebrities, having lost trust in the security of Insta, abandon its use in favor of another, perhaps more trustworthy, platform.”

Researchers also pointed out that the more users on the platform that provide access to their data, the more avenues there are for attackers to steal said data.

“It's good to remember that social media sites view people merely as a source of income,” Tripwire Systems Engineering Manager (EMEA) Dean Ferrando told SC Media. “They are only concerned with the security of your data to the extent that the law requires.”

Ferrando added that it is critical for users to take responsibility of their own security.