The most recent Instagram data breach happened in January 2021, when a database of account information at the company SocialArks was exposed due to a misconfigured database. Instagram was also fined for privacy violations in September of 2022.
As of April 2023, there have been no known Instagram data breaches so far this year. Below you’ll find a full timeline of Instagram security breaches, starting with the most recent.
September 2022: Irish Regulators Fine Instagram €405m for Data Privacy Violations
In September 2022, Ireland’s Data Protection Commissioner leveled a €405 million fine against Meta for violating the General Data Protection Regulation (GDPR). Specifically, the fine pertained to Instagram exposing children’s phone numbers and email addresses.
In response, Meta claimed that the violation in question had been resolved for over a year, and Meta has disputed the fine.
January 2021: Data Leak Exposes Scraped Data on 214 Million Social Media Accounts
In January 2021, a major data leak at SocialArks exposed 318 million records, covering around 214 million social media accounts. A misconfigured database was responsible for the leak. Information was accessible without a password, and the data within wasn’t encrypted. As a result, anyone who could connect to view the entire contents of the data store.
Within the exposed database was personal information on many account holders. Along with bios, follower counts, and similar data, phone numbers and email addresses of some users were also within the dataset.
The database focused on scraped information, where a company, entity, or individual pulls together publicly accessible data to create a large cache of information. Along with picking up individual pieces of data, some scraped information database creators also try to reconcile information it finds across various platforms to create more thorough records for individual people, companies, or entities.
Web-scraping isn’t illegal outright, so the company that gathered the information was within their right to collect the information. Additionally, with scraping, nothing is hacked. All of the data is visible on the original platform at the time of collection.
However, scraping on most social media platforms is a violation of the terms and conditions. That’s the case with Instagram, as well as Facebook and most other popular social media services.
August 2020: Large-Scale Data Leak Exposes 235 Million Social Media Profiles
In August 2020, news of an unsecured database containing 235 million Instagram, TikTok, and YouTube profiles emerged. A Comparitech security research team made the announcement after notifying the database administrators that the information wasn’t properly secured and was essentially fully readable to anyone who found the data cache.
Within the exposed data was a slew of personal information. Full names, genders, ages, and profile photos were most of the content, though email addresses and phone numbers were also found in some records.
The information had been collected by Deep Social, a third-party that was scraping data from accounts. Deep Social went out of business in 2018 after Facebook banned the company from scraping user data from Instagram profiles and threatened a lawsuit. The database was being administered by a different company – Social Data – leaving many uncertain about how long the information had been publicly available.
May 2019: 49 Million Records Exposed in Chtrbox Database
In May 2019, a large database operated by the third-party company was discovered online. This data was exposed due to an improperly protected Amazon Web Services server overseen by Chtrbox, a company that paid influencers for sponsored posts. The data wasn’t encrypted, and it was possible to access the information without a password.
Inside the records was personal contact information – including email addresses and phone numbers associated with accounts – as well as account data like follower counts, locations, and more.
The data also contained information regarding the estimated value of the accounts. Since the company was in the business of placing sponsored posts, it calculated how much an account could be worth by analyzing its reach, follower numbers, engagement rates, and similar data, essentially assigning a cash value to the profiles.
It’s important to note that initial reports regarding the data leak suggested that a shocking 49 million records were exposed. However, Chtrbox disputed that point, stating that no more than 350,000 influencers were potentially impacted by the incident. It isn’t fully clear precisely how many people were affected.
March 2019: Hundreds of Millions of Passwords Stored Unencrypted
In March 2019, Facebook reported that it had accidentally stored hundreds of millions of user passwords unencrypted. These passwords belonged to Facebook accounts, Facebook Lite accounts, and, as the company revealed in April, Instagram accounts.
These passwords were widely available within the company. Typically, companies only store passwords with encryption, to protect this information in case of a hack. In Facebook’s case, these passwords were easily viewable for years.
You can read more in our full timeline of Facebook data breaches.
August 2017: Contact Information for 6 Million Accountholders Compromised
In August 2017, news broke of a data breach that impacted 6 million Instagram accounts. Due to a bug in the Instagram developer API, it was possible to scrape phone number and email data related to Instagram accounts from the platform. While Instagram addressed the issue, it seemingly didn’t occur in time.
Hackers posted a website featuring a searchable database containing information that was allegedly the personal contact details of high-profile users. The group claimed to focus on accounts with more than one million followers first, shifting toward other accounts after. In the end, the data seemed to include both high-profile and regular users. The hackers charged a fee for each search and ultimately sold the data for Bitcoin.
Instagram did reach out to verified accounts after the incident took place to inform them of the breach.
November 2015: InstaAgent App Caught Stealing Passwords
In November 2015, Apple and Google discovered that InstaAgent, a third-party Instagram client, had been stealing and posting Instagram usernames and passwords without their permission.
Following the incident, Instagram cracked down on third-party apps, severely restricting access to its API.
We did not find any earlier records of data breaches involving Instagram. But their parent company has encountered its fair share of data breaches and privacy violations over the years – read more in our full timeline of Facebook breaches.