One or more hackers have been stealing celebrities' e-mail addresses, phone numbers, and other personal information by exploiting a bug on Instagram's servers, the company said Thursday.
Researchers from antivirus provider Kaspersky Lab said they recently spotted hackers in an underground forum advertising unnamed celebrities' personal details. In an e-mail, a Kaspersky Lab representative said the researchers privately reported a data-leaking bug to Instagram. The Kaspersky Lab researchers went on to say that exploiting the bug was "quite labor intensive" because each attack had to be done manually rather than using an automated script to bypass mathematical calculations Instagram performs to prevent abuse.
To exploit the bug, according to Kaspersky Lab, attackers used the outdated Instagram mobile app—specifically version 8.5.1, which was released last year—to select the password-reset option. To capture the request, the attackers sent it to a Web proxy rather than the real Instagram servers. The attackers then modified the captured request to substitute the username sent to the Web proxy with the username of targeted celebrities. The Instagram server would then send a JSON-formatted response that included the target's personal information. While the hackers used the outdated app to exploit the bug, the attack worked against all Instagram users, regardless of the app version they used.
A representative from the Facebook-owned photo-sharing service, meanwhile, said the exploited flaw resided in an Instagram programming interface. The representative said Instagram officials know of at least one person who actively exploited the bug.
According to Metro, this bug was also responsible for the hack into Selena Gomez's Instagram account earlier this week.
Instagram did note that no passwords were leaked as a result of this hack.
Sigh. Another day, another hack.
(Score: 2) by looorg on Friday September 01 2017, @04:51PM (2 children)
No outrage about naked female celebrity pics? This can't be that serious then.
(Score: 0) by Anonymous Coward on Friday September 01 2017, @05:24PM
Naked female celebrity pics would be an outrage. Provide naked male celebrity pics instead.
(Score: 4, Insightful) by KilroySmith on Friday September 01 2017, @07:25PM
Have you seen what passes for female celebrity clothing these days? Naked is barely different.
And, remember, "all publicity is good publicity". Have there been, like, hundreds of "naked selfie stolen from phone" events, such that every single celebrity and near celebrity probably has friends that have been victimized? And yet, female celebrities continue to take and store naked selfies on their phones.
(Score: 4, Insightful) by Anonymous Coward on Friday September 01 2017, @04:57PM (3 children)
Please blackhats, continue your unrelenting assault! Until people truly understand why they shouldn't have their personal info in a centralized database we will never move forward. It is a shift in consciousness that is needed.
(Score: 3, Insightful) by Runaway1956 on Friday September 01 2017, @05:23PM (1 child)
Insightful because the public needs to do a little growing up. We, collectively, are just too damned immature to be trusted with crap like Facefuck, and devices that can upload senseless crap to Facefuck.
Abortion is the number one killed of children in the United States.
(Score: 1, Insightful) by Anonymous Coward on Friday September 01 2017, @08:03PM
Feels more like FaceHug than Facefuck, what with the alien creature laying eggs in your body.
You hear me Zuck? You're a fucking parasitic alien!!
(Score: 2) by hemocyanin on Friday September 01 2017, @09:09PM
Some businesses have a legitimate need to know your phone number: your doctor, your bank, the contractor you hired to fix your roof. A picture sharing site on the internet though? Anyone who provides that info to such a business is nuts.
(Score: 3, Insightful) by bob_super on Friday September 01 2017, @05:00PM (6 children)
Hey, celebrities! Burner phones are not just for drug dealers, you know!
The phone you post your star-stuff self-advertising from, should only be used for that, and if it has a phone number, it should never ring.
Keep the nudies, address books and other passcodes on the other phone(s) (and off the web).
It won't protect you from this hack, or people hijacking insufficiently-secured social media accounts, but at least they won't find anything you haven't made public yet.
The bodyguard can carry the "social" phone.
(Score: 0) by Anonymous Coward on Friday September 01 2017, @08:08PM (1 child)
Lies! Everyone knows burner phones are only for degenerate pieces of human garbage, and privacy is something only terrorists and rapists care about!!!
Submit citizen, we are here for your protection.
(Score: 2) by bob_super on Friday September 01 2017, @08:36PM
I'm not the one who needs to submit, nor one that people are interested in seeing the naked submissions of.
(Score: 2) by hemocyanin on Friday September 01 2017, @09:11PM (3 children)
My bigger question is why Instagram needs your phone number? Is it a requirement? If so, people should decline. Is it voluntary? If so, I have no sympathy for the kind of idiot who would give up their phone number for nothing but a picture sharing site.
(Score: 3, Funny) by takyon on Friday September 01 2017, @11:52PM (2 children)
Two-factor authentication?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by maxwell demon on Saturday September 02 2017, @10:05AM (1 child)
But what if my phone number happens to be prime? Where do I get the second factor from?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by takyon on Saturday September 02 2017, @05:53PM
Multiply it by 1.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Saturday September 02 2017, @08:04PM
so, you just need to ask instagram's servers for the info, basically. i didn't know that's how password reset was supposed to work. If only there were some open source implementations someone could have looked at...