The phone numbers and and email addresses of 6 million Instagram users — including 500 A-list celebrities — have been put up for sale on the dark web after attackers exploited a bug in the system.
Instagram announced on Friday that a recently discovered bug had allowed access to email addresses and phone numbers even if they were not public, but no passwords or Instagram activity had been revealed.
The company said at the time that it believed only a low percentage of Instagram accounts have been impacted. But Instagram has subsequently disclosed that a purported 6 million stolen account details are being offered for sale for US$10 ($12.50) per account.
UK cybersecurity company RepKnight said the contact details used in the Instagram accounts of some of the biggest names in acting, music and sport have leaked to the dark web in the wake of the breach.
Affected celebrities include Emma Watson, Emilia Clarke, Zac Efron, Leonardo Di Caprio, Channing Tatum, Harry Styles, Ellie Goulding, Victoria Beckham, Beyoncé, Lady Gaga, Rihanna, Taylor Swift, Katy Perry, Adele, Snoop Dogg and Britney Spears.
Sporting luminaries including Floyd Mayweather, Zlatan Ibrahimović, Paul Pogba and Zinedine Zidane, Neymar, David Beckham, Ronaldinho, Sachin Tendulkar and Virat Kohli have also been impacted.
“While Instagram has now fixed the bug that led to the leak, the cat is out of the bag now, and those affected will have to take extra care to maintain their privacy,” RepKnight Cybersecurity Analyst Patrick Martin said.
“The attack just goes to show the growing threat of the Dark Web. If you’ve been hacked and someone’s posted your contact details on a site that Google cannot reach, you’re highly unlikely to ever understand the severity of that hack.”