If 2016 went down as the year of celebrity deaths, 2017 is going to go down as the year of exposed data. This week, another company exposed customer data to the public - Instagram. The data included users' email addresses and phone numbers, and was exposed because of a flaw in the API, or application programming interface, which is how the Instagram applications receive data.
To retrieve the data, you simply need to use an older version of the mobile app, 8.5.1 from 2016 to be specific, and initiate the password reset operation. If the data is sent through certain proxies, you can read the data going both directions. By asking the server to reset the password of an account, the server responds with the personal information of the username requested.
Once this issue was discovered, it was a fairly obvious next step for someone, or a group, to begin grabbing information from high-profile accounts. That information immediately found its way to the underworld of the internet, being made available for purchase at $10 per account on a site dubbed Doxagram. The Daily Beast received a sample and verified at least some of the data.
Instagram fixed the potentially long-running bug, and released a statement saying,
We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users' contact information-specifically email address and phone number-by exploiting a bug in an Instagram API. No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.
Our main concern is for the safety and security of our community. At this point, we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue. As always, we encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts, and e-mails.
While Instagram claims that no security information was exposed, the timing is definitely unfortunate. Three days prior, the account of Selina Gomez, one of the highest profile accounts, was hacked and nude photos of her ex, Justin Bieber, were posted. It is not clear whether or not this hack was related to the data exposure, but the safe money is on a relationship.
One part of the company's statement sticks out, though: "one or more individuals obtained unlawful access." The question that comes out of this statement is who is legally responsible for the access of the data. If someone leaves a piece of confidential information in a bar and someone else reads it, is it the individual who left it behind, or is it the person who found it who has violated the privacy of the data?
We will discuss the topic of data responsibility, both personal and corporate, on F5 Live: Refreshing Technology Episode 478 this week.