Mumbai influencer marketing agency leaks private data of 49M Instagram users

Chtrbox, which connects Instagram influencers with brands, left a large database exposed online. Instagram is said to be investigating the matter.

Another day, another data breach? This time, the impact is closer home.

A large database of 49 million Instagram users – mostly celebrities, influencers, and brands – has been found exposed on an AWS server. This contains public information (including user bio, profile picture, location, number of followers) as well as private data (mobile numbers, email ids, amounts transacted) of users, who are clients of Mumbai-based influencer marketing agency Chtrbox.

The leak was first revealed to TechCrunch by an Indian cybersecurity researcher. The exposed database is believed to have contained account info of some Indian celebs and bloggers. Since the leak, the agency has pulled down the database.

In a statement* to YourStory issued late Monday night, Chtrbox said,

"The reports on a leak of private data are inaccurate. A particular database for limited influencers was inadvertently exposed for approximately 72 hours. This database did not include any sensitive personal data and only contained information available from the public domain, or self reported by influencers."

Chtrbox, which connects influencers with brands and pays them to post sponsored content, has a clientele of about 184,000. However, reports claimed that the compromised database was significantly larger. The agency affirmed that "no personal data has been sourced through unethical means" by it.

An Instagram spokesperson had earlier stated that the platform is investigating the matter. She said,

“We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources. We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available."

Chtrbox is operational only in India and works with influencers from various social media platforms, including Instagram and TikTok. "Our database is limited to help our team connect with the right influencers to help them monetise their online presence, and help brands create great content," the agency stated. 

For Instagram, this is not the first instance of a data breach. In 2017, a software bug allowed hackers to gain access to private data of celebrity users. Instagram later updated its terms of use, making "crawling" or "scraping" of data illegal.

* Story updated on May 22, 2019 with Chtrbox's statement.

Also Read: [App Fridays] Half a million people have downloaded this app to spruce up their Instagram Stories


Updates from around the world