A massive database containing information from more than 49 million Instagram accounts has been discovered online. The cache, which contained information from a variety of influential and popular Instagram accounts, was traced back to Chtrbox, a social media-focused marketing company. The database has since been removed, but it previously contained both public information, such as users' profile pictures and number of followers, and also private contact information such as email addresses and telephone numbers that would not be readily obtainable from public Instagram profiles. Along with this information were Chtrbox's calculations as to how much it would be willing to pay various Instagram users to post advertisements.
Normally, one would expect this type of valuable market research to be safely locked away on internal systems, or perhaps in a secure cloud server. Chtrbox's database, however, was freely available online, without so much as a password protecting it. While much of the information could have either been scraped from public profiles or internally generated by Chtrbox, it is thus far unclear how Chtrbox gained access to contact information that would not have been publicly available. Facebook, which owns Instagram, released a statement saying that it was looking into how Chtrbox could have accessed the data, suggesting that Facebook did not voluntarily and directly provide it to Chtrbox. The two most likely alternatives seem to be that either Instagram experienced a data breach, or another entity that was authorized to access the data provided it to Chtrbox without Facebook's consent.
Facebook's Privacy Issues
Regardless of how it occurred, the leak is a blow to Facebook, which has increasingly found itself at the center of privacy and data misuse scandals. Given that Facebook processes information about literally billions of people every day, it's understandable that such a treasure trove would draw the attention of those who might wish to misuse all that data. One would think that with such great stores of information (and correspondingly great revenue and resources) would also come great information security. Nevertheless, Facebook has been at the center of a number of data privacy scandals, from Cambridge Analytica, to internal experiments in manipulating user behavior, to simple but massive data breaches. Overall, it has often seemed that the PR campaign attempting to control the damage from one scandal has hardly wrapped up when the next scandal erupts.
All these problems have not gone unnoticed by those who seek to oversee Facebook. This latest breach will only give more ammunition to the FTC, which has been investigating Facebook's treatment of user data. Even before the recent revelation of the Chtrbox open database, the agency was gearing up to issue a fine that purportedly would total a record-shattering three to
five billion dollars. Depending on what is eventually discovered about how Chtrbox obtained its information, this could help push that number towards the higher end of that range, or even beyond it.
Whether the data was obtained by malicious hackers or let slip by loose-lipped contractors, the fact that it got out could also cause legal troubles for Facebook in the civil courts. Data breach lawsuits are becoming more and more common, and it is quite possible that Facebook will face one or more such cases over this incident. These cases will only grow more numerous once the California Consumer Privacy Act (CCPA) goes into effect in January. The CCPA provides a private right of action for consumers whose unencrypted personal information is released due to a business's failure to maintain "reasonable security procedures."
What to Do
For those concerned about their own information in light of this latest leak, there are a few actions to be taken to ensure proper security:
- For those with Instagram accounts, consider changing the contact information associated with the account. Given that it's still unclear how Chtrbox obtained private information, it may be worth changing the account's password as well.
- For those concerned about their own stores of user and customer information, make sure to implement safeguards proportionate to the type and amount of information being protected. For those unclear as to the appropriate level of security, a variety of legal and technical experts and consultants can help to make that determination.
- In addition to shoring up the security of internal systems, be sure to vet the security of any outside vendors or contractors who will have access to user data, and include appropriate contract provisions to ensure proper security.
- For those concerned about CCPA compliance, the best plan is to start early and make sure that compliance preparations are complete before the law goes into effect on January 1, 2020.
Data breaches have come to be a fact of modern life, but a few basic precautions can allow for minimization of both risk as well as hassle and disruption.