Data security is a massive concern for marketers, regardless of what industry or segment they serve.
As data modeling and advanced targeting have pushed all kinds of organizations to develop databases of precise details on consumers, users, readers and employees, protecting that data has become increasingly important and exceedingly difficult.
The latest data breach, a leak of the personal contact info of millions of Instagram influencers, could have profound effects for an ever-changing industry. Instagram prohibits the use of scrapers to compile these databases, but the company has limited options to enforce its rules.
Meanwhile, these data leaks threaten the entire influencer marketing marketplace.
A security researcher detected the leak and alerted TechCrunch to the unsecured database.
We traced the database back to Mumbai-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts. Each record in the database contained a record that calculated the worth of each account, based off the number of followers, engagement, reach, likes and shares they had. This was used as a metric to determine how much the company could pay an Instagram celebrity or influencer to post an ad.
TechCrunch found several high-profile influencers in the exposed database, including prominent food bloggers, celebrities and other social media influencers.
We contacted several people at random whose information was found in the database and provided them their phone numbers. Two of the people responded and confirmed their email address and phone number found in the database was used to set up their Instagram accounts. Neither had any involvement with Chtrbox, they said.
The agency responsible for the leak is trying to quash coverage and speculation, offering no response to reporters’ questions.
Shortly after we reached out, Chtrbox pulled the database offline. Pranay Swarup, the company’s founder and chief executive, did not respond to a request for comment and several questions, including how the company obtained private Instagram account email addresses and phone numbers.
Instagram is also in the hot seat, especially given that the leak mirrors another breach that allowed hackers to access the email addresses and phone numbers of 6 million Instagram accounts.
A Facebook spokesman told TechCrunch it’s looking into the matter and that “Scraping data of any kind is prohibited on Instagram.” According to the publication’s report, a security researcher named Anurag Sen found the database and alerted the news site to its existence. The site, in turn, says it traced the database to the social media marketing firm Chtrbox, based in Mumbai.
…The Facebook spokesman added that the social network is looking into how this happened and what data was obtained and that the company “will share an update soon.” Of course, this comes some two years after a version of the same thing happened before, when Instagram acknowledged that a security bug let hackers improperly get their hands on private contact data for six million Instagram accounts.
In the past, we have seen hackers try to sell celebrity data scraped from Instagram, and the platform has faced its own security issues — like storing passwords in plain text and a bug that exposed some users’ passwords. As Facebook works to emphasize privacy, it will have to address Instagram’s vulnerabilities as well.
The incident highlights the importance for practically every organization to secure customer and partner data and might be a warning sign for the online marketing industry. Influencer marketing is already facing tighter scrutiny and possible regulation.
Data insecurity poses a risk to the entire influencer ecosystem. If hackers can break into celebrity accounts and impersonate or steal data from them, the enterprise could lose its luster for consumers and hurt the valuable relationships that influencers have with their respective audiences.
Mark Risher, head of account security at Google, said celebrity Instagram users might be at risk if hackers got their hands on their private email addresses. He recommended Gmail users check their security settings through the Google Security Checkup and also set up extra login protections including prompts and the Advance Protection Program.
“Given the high-profile nature of some of these accounts, attackers may try to break into the email accounts as a means to impersonate the legitimate account holder,” Risher said.
Though Instagram forbids companies from scraping its platform or user data, the practice of using a bot army to cull millions of user records is an easy workaround for unscrupulous organizations.
“It’s not like this is some big secret that you can scrape websites,” said Mark Douglas, CEO of ad tech firm SteelHouse. The code needed to create something like this was so simple “a college student could do it,” he said, noting that the company does not participate in data scraping.
It’s also perfectly legal. A federal judge in San Francisco ruled in August that hiQ Labs — which collects public data from LinkedIn profiles to help companies find “skill gaps and turnover risks” using bots — was within its rights to do.
The practice of using bots to collect massive amounts of information is common, said Rich Kahn, CEO of online marketing [firm eZanga and ad-fraud detecting firm Anura.io].
YouTube also said it banned the practice.
“YouTube Terms of Service and YouTube Developer Policies prohibit scraping of YouTube,” a YouTube spokesperson told CNBC. “Once notified of an infringing tool or service we take appropriate action.”
But a marketing executive — which did not use the bot tactic because it requires a lot of maintenance to deal with constant policy changes — noted that there are ways around the platforms’ policing tactics.
That probably means there are more databases out there with Instagram user information—and platform execs might have limited options for putting this particular genie back in the bottle.