An Instagram bug allowed hackers to access contact phone numbers and email addresses for high-profile users, the company said today. The bug was discovered recently in Instagram’s application programming interface, or API, which the service uses to communicate with other apps. Instagram declined to specify which users had been targeted, but the news comes two days after hackers accessed the account of its most-followed user, Selena Gomez, and posted nude pictures of her ex-boyfriend Justin Bieber.
“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API,” the company said in as statement. “No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.”
The company has notified all of its verified account holders of the possible leak of their contact information. It encouraged users to be cautious if they receive unrecognized phone calls, text messages, or emails.
In at least one case, a user was able to exploit the bug on “some accounts,” though Instagram would not say cite specific accounts or say how many had been affected. But access to a phone number and email address could be used in tandem with social engineering techniques to potentially gain access to a user’s Instagram account.
That likely explains what happened to Gomez, who has 125 million followers on Instagram. Her account was taken down on Monday after hackers gained access to it and posted the photos of Bieber, which were originally made public in 2015. The account was restored later in the day.