Instagram: Website leaked contact details of users for months

Instagram: Website leaked contact details of users for months: According to a researcher, Instagram’s website leaked user contact information, including phone numbers and email addresses, over a period of at least four months.


  • A flaw in Instagram website led to users’ contact information being made available in the source code.
  • The contact information available in source code included Instagram users’ phone numbers and email Ids.
  • The flaw not only affected thousands of Instagram users, including minors, but also brands and businesses.

The source code for some Instagram user profiles included the account holder’s contact information whenever it loaded in a web browser, says David Stier, a data scientist and business consultant, who notified Instagram shortly after he discovered the problem earlier this year. The contact information wasn’t on display on the profiles of the Instagram account holders when opened on the desktop version of Instagram’s website. However, it was used by Instagram’s app for communication. It isn’t clear why the information was included in the website’s source code.

The exposure not only affected thousands of private accounts on Instagram, some of which even belonged to minors but also the ones belonging to brands and businesses, Stier discovered as reported by CNET. Furthermore, Stier upon investigation found evidence which indicated that the phone numbers and email addresses of the affected Instagram users had been in the source code of the Instagram website since October last year.

Such a directory may have been created. On Monday, a report revealed that a marketing company in India, Chtrbox, had obtained contact information for millions of Instagram accounts and stored it on an unsecured database. It’s unclear how that database was created, but scraping data from Instagram is against the company’s terms of use.

In a statement, Instagram spokeswoman Stephanie Otway said the data Stier found in the website’s source code was not private.

Otway said, “The contact information discovered in this case is not private contact information, but contact information a member of the Instagram community chose to share when converting their profile to a Business Profile. During the setup process for Business Profiles, we display this information, remind people that it will be accessible to others, and allow them to update or remove the information.”

Instagram also said the contact information in the Chtrbox database was not private. However, the company said Chtrbox did access some of the contact information from users’ profiles in violation of Instagram policies, leading Instagram to revoke Chtrbox’s access to its platform.

In a statement, Chtrbox said it didn’t source the information through unethical means.

Good news is that Stier reported the issue to Instagram back in February and the photo-sharing platform fixed the issue in March. This means that the contact details of the affected users, who had decided to keep their phone numbers and email addresses private, is no longer visible in the source code of the Instagram website. Even so, caution must be exercised owing to the fact that this bug was active months before it was discovered.

The contact information is still available on the Instagram app, which displays users’ email addresses and phone numbers if they have opted into letting others contact them through the app. While that design isn’t ideal, it’s more secure than including contact information in the source code for a website, says Jason Hong, a computer science professor at Carnegie Mellon University who researches app security and privacy.

“Scraping data from a website is relatively easy,” Hong said. “Scraping data from a running app is possible but rather hard.”