The hackers responsible for scraping the personal information from some six million Instagram accounts have now reportedly put the information up for sale.
A searchable database of the affected accounts called Doxagram has been created by the hackers allowing anything to see if they’ve been affected.
Naturally there’s a catch, a single search will cost you $10.
To prove the authenticity of information, The Daily Beast were actually able to open a dialogue with the hackers and were sent 1,000 accounts as a sample.
The site then compared the personal information which includes email addresses and phone numbers with what is already available online.
While Doxagram is currently offline, there’s no telling on whether it will be reinstated or what the hackers next steps are for the information.
While the total number of accounts affected is small (compared to Instagram’s 700 million users), the database appears to contain some high-profile celebrities and media companies.
What sets this hack apart from the usual leaks is that actually the hackers were exploiting a bug that had been left inside Instagram’s own software.
By discovering the ‘back door’ the hackers were able to scrape personal information from accounts.
What is important to note here is that this was specific contact information, not login details.
In a blog post on Friday, Instagram’s CTO Mike Krieger made a brief statement on the incident.
“We recently discovered a bug on Instagram that could be used to access some people’s email address and phone number even if they were not public. No passwords or other Instagram activity was revealed.” said Krieger.
Just last week security researchers discovered a giant spambot that had access to over 700 million email addresses.
Troy Hunt, a renowned cyber security expert called the discovery, “The largest single set of data I’ve ever loaded into HIBP.”
“Just for a sense of scale,” he says. “That’s almost one address for every single man, woman and child in all of Europe.”
Hunt has uploaded the data into a website he founded called “Have I Been Pwned”.
The website is essentially a vast searchable database of known email addresses and passwords that have at one point or another been hacked, stolen or used to spread malicious software.