Instagram’s “no breach” breach

Written By Sue Serna

About a month ago, millions of Instagram users including me received a password reset email that they did not request.

And even though a reported 17.5 MILLION users were impacted by this incident, Instagram still insisted: NO BREACH.

I thought I was done with this topic, but the folks at Security Boulevard posted a fascinating article yesterday that I think deserves to be highlighted (you should read it).

The TL/DR: Instagram can get away with saying that it was not breached because technically its internal systems were not compromised. The hackers retrieved the information by exploiting the public API. What in the world does that mean?

Most social media platforms maintain a public data feed called an API. Tools used for social media management and social media listening rely on these APIs for gathering data and bringing it into their tools. This is how tools like Hootsuite, Sprinklr, Khoros and Sprout can put all of your channels in one place. Hackers know that this data feed is full of rich data, and they’ve figured out ways to circumvent the system to gather as much of it as they can.

The Security Boulevard article above does a great job of breaking down the how:

  1. Distributed scraping: APIs limit the number of times an individual account can make a “call,” or request for data. Hackers use different IP addresses to appear as different users and make additional calls.

  2. Account rotation: Creating fake accounts to get more data

  3. Hack into business accounts and gather information from them

  4. API endpoint vulnerability: Essentially, the receiving end of the transaction is not as secure as it should be

Now, back to the “no breach.” This isn’t just putting lipstick on a pig. It’s a downright LIE. Sorry, not sorry, but this was obviously a breach.

Just because technically the data scraped is “public data,” and because technically the company’s internal systems were not compromised, Meta takes license to say nope, no breach here. Don’t pay any attention to the data-mining behemoth behind the curtain.

Yet 17 million users had their details posted on the dark web, including usernames, display names, account IDs, geolocation data, email addresses and phone numbers.

As the Security Boulevard article rightly points out, “Your Instagram data alone is annoying. Combined with AT&T's leaked SSNs or LinkedIn's professional data? That's a complete identity theft toolkit.” Exactly.

One thing I know after almost two decades of sitting at the intersection of cybersecurity and social is that the platforms are not in a rush to deal with these issues. Because, money. Their business models are heavily reliant on the income from those API feeds, and restricting them further would be bad for business. Bottom line. And while I understand profits are king particularly for public companies, security needs to be paramount. I’m not holding my breath that Meta or any of the other major platforms will change this any time soon.

Hat tip to the team at Security Boulevard for an outstanding rundown.

Sue Serna

Social media expert.

https://www.sernasocial.com
Next

Meta’s new scam prevention claims: Sue is not impressed