Instagram Allegedly Leaking Private Phone Numbers, Email Addresses of Members for Months

NEW YORK - Instagram, a photo and video sharing social networking service owned by Facebook, has come under fire recently as reports indicated that the social site had leaked the contact information of many of its users – including names, email addresses, and phone numbers – over a period of time that lasted at least four months.

Apparently the contact information for many Instagram users had been compromised hackers who had the ability to acquire information from any affected Instagram page. File photo: Pixabay.

According to data scientists, the contact information of some Instagram users was actually contained in the source code of their user profiles whenever loaded in an Internet browser, making it easy for unscrupulous individuals to access and gather it for a variety of purposes. Why such sensitive information was included in the source code for the website is anyone's guess, but it’s not considered a secure practice by any means.

Apparently the contact information for many Instagram users – but not the entirety of them – had been compromised by this issue, some of whom were minors, businesses, and known marketing brands. Hackers and scam artists would have the ability to acquire this information from any affected Instagram page, and in turn construct a database comprised of the contact details of a great number of Instagram members

Instagram released a statement regarding the issue, noting that the information that had been leaked was not considered private; it could be argued that the users who were compromised would not agree with this assessment of the situation, however, nor does the statement address why the contact information was actually contained in the source code.

"The contact information discovered in this case is not private contact information, but contact information a member of the Instagram community chose to share when converting their profile to a Business Profile," they said. "During the setup process for Business Profiles we display this information, remind people that it will be accessible to others, and allow them to update or remove the information."

According to reports, this sensitive data has already spread to various marketing companies, including one located in India that had allegedly acquired contact information of millions of Instagram users. Such use of their member’s information is against Instagram's terms of use, but it's readily apparent that any unscrupulous marketing company that is willing to engage in this type of behavior cares little for the terms of a website.

Reports indicate that phone numbers and email addresses have been contained in the Instagram source code of selected profiles for several months. The problem was reported to the Instagram tech support team in February of 2019, and was eventually rectified the following March.

In a day and age where personal information is becoming easier and easier for marketing types to find and exploit on the internet, programming and coding errors can only exasperate that problem. This is especially true when that information is relatively easy for hackers with even a rudimentary level of computer skill to obtain, such as the case with the Instagram source code. Another example of this problem involves Google, who recently admitted that it had been storing the passwords of some of their business customers as mere plain text, as opposed to an encrypted format. Practices such as these place the users of such websites at considerable risk for identity theft and fraud, and the companies involved owe it to their users to greatly enhance their security measures and to take greater care with the private information of their many millions of users.

Currently, user contact information is only available for outside viewers on Instagram if the user profile in question has selected the option for outside individuals to contact them through the website. While that is not ideal – as it still puts sensitive personal information out on the web – at least this is by choice and not through a programming and coding error that managed to slip through the cracks. And considering the fact that scraping data from a website is considered relatively easy according to experts, it's best not to give hackers and scammers and an even easier time of it than usual.

Criminals armed with a name, email address, or phone number can do untold damage, believe it or not. That information, combined with other identifying characteristics about you that could be mined from any number of web-based sources, could result in rampant identity theft that could tank your credit rating, leave you responsible for multiple expensive charges, and even more.

It's been said before, and again - in today's day and age of robust and frequent internet activity, it's best to sit back and rethink the information that you make publicly available on the web for all to see; unfortunately, most people don't tend to make this consideration until it is far too late. Just remember, if it's not something you would want a total stranger to know about yourself in real life, you probably shouldn't put it on the web, either.