A flaw on the Instagram website leaked phone numbers and emails for months

After admitting in April that millions of Instagram and Facebook passwords were stored in plaintext, researchers have now discovered a flaw on the Instagram website that has reportedly leaked users’ phone numbers and email addresses for months.

Data scientist and business consultant told CNET that a flaw in the Instagram website code allowed phone numbers of some Instagram accounts to be readily visible in plain text to anyone who would inspect the website code loaded in their web browser.

The exposure appeared to include contact information for thousands of accounts, which belonged to private individuals—some of whom were minors—along with businesses and brands, Stier said. Including the information in the source code could let hackers scrape the data from the Instagram website, allowing them to assemble a virtual phone book that lists the contact details of thousands of Instagram users.

Such a directory may have been created. On Monday, a report revealed that a marketing company in India had obtained contact information for millions of Instagram accounts and stored it on an unsecured database. It’s unclear how that database was created, but scraping data from Instagram is against the company’s terms of use.

The flaw, discovered in February, has now been fixed in March.

A little more than a month ago, Facebook said in a blog post that it had discovered logs of “millions” of Instagram passwords of influencers, celebrities and brand accounts insecurely stored in plain text but noted its investigation found none of the exposed passwords were abused or improperly accessed. Furthermore, the passwords were not accessible outside of Facebook and Instagram employees, the company said.

That breach was revealed after Mumbai-based social media marketing firm Chtrbox shared a database that included personal user info. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available,” Facebook said Monday.

Any affected users were notified by Instagram to change their passwords.