News that someone exploited an Instagram security hole to steal info from some of its most popular accounts got worse when they began selling it. The Verge reports this dark web service is no longer available, but The Daily Beast chatted with operators of the “Doxagram” database who provided a sample of the info that included addresses and numbers for about 1,000 accounts. The info did not appear to be from previous leaks, and some owners confirmed their entries were valid.
In another statement, Instagram again confirmed the bug, saying that while no passwords were revealed, the bug did allow access to phone numbers and email addresses even if they weren’t public. The hackers were selling access to the database at a price of $10 for each query, and told Ars Technica today that they had made at least $500 already. According to them, an automated process could steal info from up to one million accounts per hour, and Instagram didn’t close the hole until 12 hours after their attack started and he had accessed 6 million accounts.
Initially, Instagram’s alert said that “high-profile” users may have had information revealed, but even with 700 million or so active users, there may be more people who need to know their information is out there.