Just yesterday, we reported that Instagram had patched a critical API vulnerability that allowed the attacker to access phone numbers and email addresses for high-profile verified accounts.
However, Instagram hack now appears to be more serious than initially reported.
The suspected Instagram hacker has launched Doxagram, an Instagram lookup service, where anyone can search for stolen information only for $10 per account.
A security researcher from Kaspersky Labs, who also found the same vulnerability and reported it to Instagram, told The Hacker News that the issue actually resided in the Instagram’s mobile API, specifically in the password reset option, which apparently exposed mobile numbers and email addresses of the users in the JSON response—but not passwords.
Instagram has not confirmed the hacker’s claims yet, but the company said Friday it is investigating the data breach.
The news comes three days after an unknown hacker hijacked most-followed-account on Instagram belonged to Selena Gomez—with over 125 Million followers—and posted her ex-boyfriend Justin Bieber’s full-frontal nude photographs.
The company had already notified all of its verified users of the issue via emails and also encouraged them to be cautious if they receive any suspicious or unrecognised phone call, text message, or email.
With email addresses and phone numbers in hand, the hacker’s next step could be used the stolen info in tandem with social engineering techniques to gain access to verified Instagram accounts and post on their behalves in order to embarrass them.
Instagram users are also highly recommended to enable two-factor authentication on their accounts and always secure them with a robust and different password.
Additionally, avoid clicking on suspicious links and attachments you receive in an email and providing your personal or financial details without verifying the source properly.