An Instagram bug allowed hackers to access contact phone numbers and email addresses for high-profile users, i.e. verified users, the company said today. The bug was part of Instagram’s application programming interface (API), which is used to communicate with other apps.
It might also help explain the hack of singer-actress Selena Gomez’s account from earlier this week, which was followed by nude pictures of her ex-boyfriend Justin Bieber from 2015. Gomez is the most-followed person on Instagram with over 125 million followers.
“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information – specifically email address and phone number — by exploiting a bug in an Instagram API,” Instagram said in a statement. “No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.”
For what it’s worth, Instagram does have support for two-factor authentication, though it remains unclear if the affected accounts had it enabled, or whether it was somehow bypassed by the hackers.