The IT Nerd

Last Friday, security software vendor Malwarebytes claimed “Cybercriminals stole the sensitive information of 17.5 million Instagram accounts,” while Instagram has publicly denied that it suffered a data breach, even though a large dataset allegedly containing information from around 17 million accounts was being discussed online. 

This alleged Instagram data was released on numerous hacking forums for free, with the post claiming it was gathered through an unconfirmed 2024 Instagram API leak.

The dataset contains the following counts of unique values:

• ID:17,015,503
• Username: 16,553,662
• Email:6,233,162
• Phone number:3,494,383
• Name: 12,418,006
• Address: 1,335,727

The social media company acknowledged a technical issue that allowed an external party to trigger mass password reset emails for many users but emphasized that its systems were not breached and user accounts remain secure. Instagram says it has already fixed the bug that enabled the unauthorized reset requests. 

Instagram has urged users to ignore unsolicited password reset emails unless they personally initiated the request and to take standard security precautions such as enabling two-factor authentication. 

Steven Swift, Managing Director, Suzu Labs had this to say:

   “There are two separate issues with the Instagram incident. One being that it was possible to initiate a password reset for other users (this one is reported as fixed) and separately, someone aggregated what appears to be old breach data into a new package. Neither of these are huge issues, though it will certainly make some users concerned.

   “It’s going to be concerning for users to see someone else attempting a password reset. Note that this issue was limited to initiating a password reset. There’s no indication that attackers were able to actually complete a password change. Making this more of an annoyance rather than a major security threat.

   “For the data leak itself, this is old data. The only thing new here is that someone aggregated a bunch of leak data together and is now bragging about it. One of the unfortunate realities about using services on the internet, is that personal data tends to leak out of most services, eventually.

   “Once the data is leaked, there’s no way to put it back. If it’s out, it’s out.

   “So, what can users do about it? For this incident, not much. It doesn’t appear passwords were exposed, and the leak data was old. However, some general recommendations still apply.

   “If you’re ever concerned after seeing suspicious activity on your account, any account, reset your password and double check that you have MFA in place. It’s generally better to be a bit cautious here. Use a password that you don’t use anywhere else. Ensure that its sufficiently long and/or complex. Save your passwords in a password manager.”

Michael Bell, Founder & CEO, Suzu Labs follows with this:

   “Two separate issues hit at once. The dataset appears to be from a 2024 scraping or API exposure, while the password reset bug is a separate technical issue. No passwords in the leak sounds reassuring, but it doesn’t take much to fill that gap. Those 6 million email addresses can be cross-referenced against infostealer logs and existing credential dumps to find matching passwords. Most people reuse credentials somewhere along the line. Instagram users should enable MFA and make sure they didn’t use the same password a bunch of other places.”

John Carberry, Solution Sleuth, Xcape, Inc. adds this:

   “The recent disclosure of 17.5 million Instagram user records highlights the ongoing tension between how companies define a “breach” and the actual risks faced by users. While Meta insists its central systems weren’t hacked, the appearance of this data on BreachForums demonstrates how a 2024 API “scraping” vulnerability can be just as harmful as a direct attack.

   “This incident underscores the blurring lines between a confirmed breach and large-scale data exposure, both of which erode user trust. Even if Instagram’s main systems weren’t breached, a vulnerability allowing mass password reset abuse can still lead to account takeovers and widespread social engineering.

   “The presence of millions of email addresses and phone numbers in these datasets raises serious concerns about data aggregation from previous leaks, scraping activities, or API misuse.

   “From a user’s perspective, the technical difference between a system breach and a massive API scrape is meaningless when their inbox is flooded with convincing reset links. Transparency regarding data origin is crucial, especially when free data releases facilitate abuse. This situation also emphasizes how reset mechanisms can be exploited if not carefully rate-limited and monitored.

   “When platforms downplay failures, attackers fill the gap, and users pay the price.”

The cynic in me says that Meta who owns Instagram doesn’t want to admit that they got pwned in some way. I guess we’ll have to see when people start getting pwned in various ways to prove or disprove if this is factual.

Instagram’s new Maps feature lets users share their real-time or recent location with selected followers, but it raises privacy and safety concerns. Since it’s release on August 6, social media has been buzzing with locations of high-profile people, including Shawn Mendes, who was spotted in Budapest.

Cybersecurity experts are concerned and urge to pay attention to the feature. For example, CEO of Saily, Vykintas Maknickas, comments:

“Personal safety is the number one priority. Real-time location sharing exposes your precise position down to streets and buildings. You’re losing your privacy — your residence, workplace, places you like to spend your free time become public. It can expose you to unwanted attention from stalkers, abusive exes, or others with bad intent. It’s especially dangerous for underage or high-profile users.”

“Bad actors can exploit the Maps feature to spy on others — it essentially gives a shortcut to one of the most valuable pieces of information: your location, and possibly your routine. A stalker could collect enough information to determine where you live, work or study, making “accidental” in-person meetings easy.”

“Because of these risks, it’s important to manage the feature carefully. You can turn off the Maps feature entirely or choose specific friends to share your location with — both essential steps for a less invasive experience.”

“Private accounts mean only approved followers see your updates. However, a stalker could be someone you already approved or hide behind an account pretending to be your friend. This “trusted circle” can create a false sense of security, encouraging you to share more. However, even if a handful of people can see your location, it only takes 1 screenshot for it to get public.”

“Location sharing could also be used to determine when you’re not home. For example, if your location shows that you’re on vacation, that means that no one’s home — your residence becomes a target.”

“Social engineering is also a risk. Having your current location can help bad actors to create believable scams. For example, they might send you fake messages from businesses you actually visited.”

“If you choose to post with a location tag, my biggest advice would be simple: Don’t post at the moment. Just wait until you’ve left the place, and then feel free to share your memories. Also, limit who can view your stories or posts, and don’t assume default settings have your back.”

“Review everything carefully before posting and watch your videos or photos with a critical eye — sometimes you could be surprised by what you might unintentionally reveal. And, of course, avoid tagging places you visit regularly, blur out any signs, street names, shop fronts, house numbers, or license plates that could give away your exact location.”

My advice would be to turn this feature off. Here’s instructions on how to do that. This is a potential risk to users, and risk should always be mitigated whenever possible.

In a move that is likely meant to stop them from being sued by regulators and or governments, Instagram which is owned by Meta who also own Facebook had made a move to make teen accounts on Instagram have the following restrictions:

• Private accounts: With default private accounts, teens need to accept new followers and people who don’t follow them can’t see their content or interact with them.
• Messaging restrictions: Teens will be placed in the strictest messaging settings, so they can only be messaged by people they follow or are already connected to.
• Sensitive content restrictions: Teens will automatically be placed into the most restrictive setting of our sensitive content control, which limits the type of sensitive content (such as content that shows people fighting or promotes cosmetic procedures) teens see in places like Explore and Reels.
• Limited interactions: Teens can only be tagged or mentioned by people they follow. We’ll also automatically turn on the most restrictive version of our anti-bullying feature, Hidden Words, so that offensive words and phrases will be filtered out of teens’ comments and DM requests.
• Time limit reminders: Teens will get notifications telling them to leave the app after 60 minutes each day.
• Sleep mode enabled: Sleep mode will be turned on between 10 PM and 7 AM, which will mute notifications overnight and send auto-replies to DMs.

And:

Teens may lie about their age and that’s why we’re requiring them to verify their age in more places, like if they attempt to use a new account with an adult birthday. We’re also building technology to proactively find accounts belonging to teens, even if the account lists an adult birthday. This technology will allow us to proactively find these teens and place them in the same protections offered by Teen Account settings. We’ll start testing this change in the US early next year.

And when can you expect to see these changes?:

We plan to place teens into Teen Accounts within 60 days in the US, UK, Canada and Australia, and in the European Union later this year. Teens around the world will start to get Teen Accounts in January. We’ll also bring Teen Accounts to other Meta platforms next year. These are big updates that will change the Instagram experience for millions of teens, and we need to make sure they work correctly.

This is all stuff that to be frank, Instagram should have done years ago. But instead of making these changes, they’ve resisted. Likely because there was a financial incentive to resist. Clearly Meta feels that the chances that a government or regulator coming in and putting a metaphorical gun to their head is such a threat to them that they’ve stopped resisting. My question is if this goes far enough? Or will Meta find that governments and regulators say “too little, too late.” Stay tuned to find out.

In a police announcement (translation here), the Ukrainian cyber police, working with state police investigators, say they have arrested three members of a “criminal group” accused of stealing & attempting to sell over 100 million emails and Instagram accounts. The database of stolen accounts contained data on more than 100 million Internet users from all over the world.

The suspects used the brute-force method to break the passwords of the stolen accounts and would then sell them on the dark web. The group operated in different regions of Ukraine, coordinating their efforts, with each specializing in different aspect of the operation. 

During the law enforcement raid, police conducted seven searches across multiple cities, seizing more than 70 pieces of computer equipment, 14 mobile phones, bank cards, and cash.

Emily Phelps, Director, Cyware had this to say:

   “Cybercriminals are often opportunistic, seeking the path of least resistance. Strong passphrases and multifactor authentication cannot be considered optional extras but fundamental requirements to defend against cyberthreats. The coordination behind such illicit activities emphasizes the need for continuous vigilance, collaboration, and advanced cybersecurity solutions.”

This should serve as a warning to those of you who like to use an easy to remember, not very complex password for everything. There are groups like this one who are out to leverage the fact that you do that. Thus complex passwords, multi factor authentication, or every passwordless solutions should be the way to go to avoid being pwned by a group like this one.

Elon Musk and Twitter are apparently not the only platform who is struggling with having advertisers halt ad campaigns due to those ads being placed next to content that is objectionable. Meta owned Instagram has is having problems with ads being placed next to sexually explicit images:

Instagram’s system served jarring doses of salacious content to those test accounts, including risqué footage of children as well as overtly sexual adult videos—and ads for some of the biggest U.S. brands.

The Journal set up the test accounts after observing that the thousands of followers of such young people’s accounts often include large numbers of adult men, and that many of the accounts who followed those children also had demonstrated interest in sex content related to both children and adults. The Journal also tested what the algorithm would recommend after its accounts followed some of those users as well, which produced more-disturbing content interspersed with ads.

As a result of this report, this happened:

After the Journal contacted companies whose ads appeared in the testing next to inappropriate videos, several said that Meta told them it was investigating and would pay for brand-safety audits from an outside firm.

Following what it described as Meta’s unsatisfactory response to its complaints, Match began canceling Meta advertising for some of its apps, such as Tinder, in October. It has since halted all Reels advertising and stopped promoting its major brands on any of Meta’s platforms. “We have no desire to pay Meta to market our brands to predators or place our ads anywhere near this content,” said Match spokeswoman Justine Sacco.

Robbie McKay, a spokesman for Bumble, said it “would never intentionally advertise adjacent to inappropriate content,” and that the company is suspending its ads across Meta’s platforms.

Charlie Cain, Disney’s vice president of brand management, said the company has set strict limits on what social media content is acceptable for advertising and has pressed Meta and other platforms to improve brand-safety features. A company spokeswoman said that since the Journal presented its findings to Disney, the company had been working on addressing the issue at the “highest levels at Meta.”

Walmart declined to comment, and Pizza Hut didn’t respond to requests for comment.

Now this is bad. But what I will say is this. Meta and its CEO Mark Zuckerberg will fix this because frankly, they don’t want to lose the advertising revenue, nor do they want to be seen in the same way that Twitter is seen. So I would expect some rapid action on this front in the coming days.

Well, if you’re an Instagram user you may have an issue. According to TechCrunch there’s been a leak of a massive database that was hosted by Amazon Web Services and contains more than 49 million records and needed no passwords to get access to it. The database was initially uploaded and shared by Mumbai-based social media marketing firm Chtrbox, and contains public data pulled from Instagram, such as profile picture, biography, and follower numbers, but also private contact information like phone numbers and email addresses. Records also calculated the “worth” of each account based on follower count, engagement, reach, likes, and shares. TechCrunch confirmed that the data is real.

Now Facebook is investigating to find out how this data was acquired. But this is yet another example of sloppy handling of user data. Thus everyone involved needs to be punished. Starting with Chtrbox who clearly dropped the ball here.

A number of people have reported having their Instagram accounts hacked this month, Mashable reports, and many of these hacks appear to have taken the same approach:

Users suddenly find themselves logged out of their accounts and when they try to log back in, they discover that their handle, profile image, contact info and bios have all been changed. Often the profile image has been changed to a Disney or Pixar character and the email address connected to the account is changed to one with a .ru Russian domain, according to Mashable. Some even had their two-factor authentication turned off by hackers. A handful of Instagram users reported the same details to Mashable as have hundreds of others who have taken to Twitter and Reddit to report hacks of their accounts.

It clearly sounds like Instagram has a serious problem on their hands if the hackers can get in and do things like turn of two factor authentication. So far, Instagram has only said the usual “we take our users security seriously” sorts of things, but so far there’s nothing from them as to how this is happening and what they are doing to stop it. Thus I would suggest that Instagram needs to step up its game right now. In the meantime, with no details on how this is happening, there’s nothing that I can suggest to help you to protect yourself.

Planning to post some pics for others to see on your Instagram feed? You may want to try later as Instagram is down and users are taking to Twitter to vent:

https://twitter.com/SAMMSNEAK/status/562410126158860288

#instagramdown FIX IT PLEASE

— kailey nicole (@Kailey_Niicole) February 3, 2015

https://twitter.com/tungnsl/status/562401793351901185

so #instagramdown great:/

— Jo (@jojomololo) February 3, 2015

Are you kidding me? #instagramdown #instagram @instagram @facebook pic.twitter.com/h05QGlXpGN

— ✨DENNIS✨ (@sattlerpictures) February 3, 2015

@LizardUniverse did u put #instagramdown ??

— Lance (@DaLanceGamer) February 3, 2015

I'm only here to figure out if anyone else is having problems with #Instagram @instagram #InstagramDown #FirstWorldProblems

— @IllBill (@ImIllbill) February 3, 2015

For the good of the planet, I hope that this is resolved soon by Mark Zuckerberg and his minions before civilization as we know it ends.

I’ll lighten the mood a bit with this post. The Toronto Star is reporting that a Sweedish politician wanted to show off his devotion to Liverpool FC by showing his new tattoo on Instagram. However, things did not go as planned: