Instagram has warned users to be vigilant after contact information pertaining to a number of high-profile individuals was accessed by hackers.
In a note to users, the company said it was investigating the breach, but that the issue had now been resolved.
“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information – specifically email address and phone number – by exploiting a bug in an Instagram API,” it said.
“No account passwords were accessed. We fixed the bug swiftly and are running a thorough investigation.
“Our main concern is for the safety of our community and, out of an abundance of caution, we are reaching out to all verified accounts.
“At this point we believe this effort was targeted at high-profile users. We encourage you to be extra vigilant about the security of your account and exercise caution if you encounter any suspicious activity such as unrecognised incoming calls, texts and emails.”
Instagram urged users to secure their accounts by ensuring two-factor authentication is enabled and by picking a “strong, unique password”.
‘Sorry’
“Your experience on Instagram is important to us, and we are sorry this happened,” added the note.
The breach came after more than 700 million email addresses, as well as a number of passwords, were leaked publicly thanks to a misconfigured spambot, in one of the largest data breaches ever.
The number of real humans’ contact details contained in the dump is likely to be lower, however, due to the number of fake, malformed and repeated email addresses contained in the dataset, according to data breach experts.
The breach contained almost twice the records, once sanitised, than those contained in the River City Media breach from March, previously the largest breach from a spammer.
Separately, video games reseller CEX notified customers that an online security breach may have leaked as many as 2 million accounts, including full names, addresses, email addresses and phone numbers.
Card information was also contained in the breach “in a small number of instances”, but the newest financial data dates to 2009, meaning it has likely expired for those users.
“We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats,” the company said in a statement.
“Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cybersecurity specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.”
(Additional reporting: Guardian Service)