Instagram is one of the most popular social media platforms with over 1 billion monthly active users, making it a prime target for cybercriminals.
Over the years, Instagram has experienced multiple data breaches that have compromised the personal information of millions of its users. A data breach occurs when unauthorized individuals gain access to sensitive information stored in a company’s database.
In the case of Instagram, these breaches have resulted in the theft of user data such as email addresses, phone numbers, passwords, and profile information.
In response to these data breaches, Instagram has taken measures to improve its security measures, such as implementing two-factor authentication and improving its bug bounty program to encourage ethical hacking.
However, it remains crucial for users to take steps to protect their personal information, such as using strong passwords and being cautious of suspicious emails or messages. Below is the list of all Instagram data breaches with the timeline.
Table of Contents
September 2022 – Instagram Data Breach
Meta was fined €405 million by Ireland’s Data Protection Commissioner in September 2022 for breaching the General Data Protection Regulation (GDPR), with regard to Instagram’s disclosure of children’s phone numbers and email addresses.
Meta contested the fine, arguing that the breach had been resolved over a year ago.
January 2021 – Instagram Data Breach
A data breach occurred in January 2021 at SocialArks, which resulted in the exposure of 318 million records, encompassing approximately 214 million social media accounts. The reason behind the leak was a database that was misconfigured.
Since the data was not encrypted and accessible without a password, anyone who could connect had the ability to view the entirety of the data store.
The database that was disclosed contained the personal details of several account holders, including bios, follower counts, and other related information. Additionally, the dataset included phone numbers and email addresses of certain users.
A scraped information database is built by gathering publicly available data, whereby a company, entity, or individual collects a vast amount of information.
In addition to gathering discrete pieces of data, those who create scraped information databases may also endeavor to merge information from different sources to generate more comprehensive records for individuals, companies, or entities.
Collecting information through web scraping is not necessarily illegal, and the company that did so had the right to gather the data. It should be noted that in web scraping, no hacking occurs as all the information is openly available on the original website at the time of collection.
Nevertheless, it is important to mention that scraping data from most social media platforms breaches their terms and conditions. This applies to Instagram, Facebook, and many other popular social media services.
August 2020 – Instagram Data Breach
In August 2020, it was reported that an unsecured database containing 235 million profiles from Instagram, TikTok, and YouTube had been discovered.
The database was deemed unsecured by a security research team from Comparitech who alerted the administrators that the information was not properly secured and could be fully accessible to anyone who came across it.
A variety of personal information was discovered in the data that was made public. While full names, genders, ages, and profile photos were the main components, certain records also included email addresses and phone numbers.
Deep Social, a third party that gathered data by scraping accounts, had collected the information. However, in 2018, Facebook banned the company from scraping user data from Instagram profiles and threatened a lawsuit, which resulted in Deep Social going out of business.
Although a different company, Social Data, was now managing the database, it was unclear how long the information had been made public.
May 2019 – Instagram Data Breach
In May 2019, an extensive database managed by a third-party entity was found online, as a result of an inadequately secured Amazon Web Services server monitored by Chtrbox, a company that compensated influencers for endorsing content.
The data was vulnerable since it was not encrypted, allowing access to the information without the need for a password.
The records contained private contact details, such as email addresses and phone numbers linked to accounts, along with other account information like follower counts, locations, and additional data.
In addition to other information, the data included an estimated worth for the accounts, which the company determined based on various factors such as reach, number of followers, engagement rates, and related data.
This allowed the company to assign a monetary value to the profiles, as it was involved in the placement of sponsored posts.
Initially, reports indicated that the data leak resulted in the exposure of a significant 49 million records.
However, Chtrbox contested this claim and stated that only up to 350,000 influencers may have been impacted by the incident. The exact number of individuals affected remains uncertain.
March 2019 – Instagram Data Breach
Facebook disclosed in March 2019 that it had unintentionally saved unencrypted user passwords, which included those of Facebook accounts, Facebook Lite accounts, and also Instagram accounts, as revealed by the company in April.
The passwords were easily accessible throughout the company, whereas most companies usually encrypt password information to safeguard it from potential hacking attempts. Facebook, however, had these passwords readily visible for an extended period of time.
August 2017 – Instagram Data Breach
A data breach affecting 6 million Instagram accounts was revealed in August 2017. The breach was caused by a bug in the Instagram developer API, which allowed the extraction of phone numbers and email addresses associated with Instagram accounts.
Although Instagram attempted to resolve the issue, it appears that the resolution was not timely.
A website containing a searchable database purportedly containing the personal contact information of prominent users was posted by hackers. The group initially targeted accounts with over one million followers before moving on to others.
Ultimately, the database contained information on both prominent and ordinary users. The hackers charged a fee for each search, and the data was eventually sold for Bitcoin.
Following the occurrence of the breach, Instagram contacted verified accounts to notify them about the incident.
November 2015 – Instagram Data Breach
Apple and Google found out in November 2015 that InstaAgent, a third-party Instagram client, was stealing and posting Instagram usernames and passwords without authorization.
As a result of the incident, Instagram took strong action against third-party apps by significantly limiting access to its API.
Although no prior records of data breaches related to Instagram were discovered, the parent company has experienced several data breaches and violations of privacy in the past.