News that someone exploited an Instagram security hole to steal info from some of its most popular accounts got worse when they began selling it. Hours after the hack was disclosed, hackers established a searchable database named Doxagram allowing users to search for victims’ contact information for $10 per search.
The hacker provided a list of 1,000 accounts they said were available for searching on Doxagram to the Daily Beast, and the list included most of the 50 most-followed accounts on the service. Hackers say they have information on file for 6 million users.
The Verge reports this dark web service is no longer available, but The Daily Beast chatted with operators of the "Doxagram" database who provided a sample of the info that included addresses and numbers for about 1,000 accounts. The info did not appear to be from previous leaks, and some owners confirmed their entries were valid.
But even with the site shut down, contact information for dozens of celebrities now appears to be floating around on the dark web. A cybersecurity firm named RepKnight said it found what purported to be contact information for celebrities including:
Actors: Emma Watson, Emilia Clarke, Zac Efron, Leonardo DiCaprio, Channing Tatum.
Musicians: Harry Styles, Ellie Goulding, Victoria Beckham, Beyoncé, Lady Gaga and Rihanna, Taylor Swift, Katy Perry, Adele, Snoop Dogg, Britney Spears.
Athletes: Floyd Mayweather, Zinedine Zidane, Neymar, David Beckham, Ronaldinho.
For celebrities and other high-profile users, the hack could mean having to change a phone number, email address, or both. But it can also be used along with social engineering techniques to gain access to the account itself. That seems to be what happened to Gomez, Instagram’s most-followed user. Her account was briefly taken down Monday after it was used to post nude photographs of Justin Bieber, her ex-boyfriend.
In another statement, Instagram again confirmed the bug, saying that while no passwords were revealed, the bug did allow access to phone numbers and email addresses even if they weren't public. The hackers were selling access to the database at a price of $10 for each query, and told Ars Technica today that they had made at least $500 already. According to them, an automated process could steal info from up to one million accounts per hour, and Instagram didn't close the hole until 12 hours after their attack started and he had accessed 6 million accounts.
Initially, Instagram's alert said that "high-profile" users may have had information revealed, but even with 700 million or so active users, there may be more people who need to know their information is out there. (engadget.com/theverge.com)