Open AWS Database Exposes Millions of Instagram Accounts

AWS Database With No Password Exposes 49 Million Instagram Accounts

Lacework Editorial

May 21, 2019

An AWS database with almost 50 million records of public data about Instagram accounts was left open and exposed. With no password required to access the data, the database, which was growing by the hour, exposed publicly accessible data about user’s bios, profile pictures, number of followers, the status of their verification, location, as well as private contact information including email address and phone number. Among the records were many high profile celebrities and influencers.

The database appears to be owned by Mumbai-based Chtrbox, a media firm that bills itself as the provider of an “influencer marketing tool” that pays influencers to post sponsored content from their accounts. For many of the accounts, data about how, and the amount, of what they’re paid, including a metric that determined the account’s worth, was included in the data.

The database was pulled offline after the company was notified of the exposure.

This is not the first time Instagram has been at the center of a security issue. Two years ago, the service came forth about a security bug in its developer API that enabled attackers to access and extract the personal contact information of six million accounts. The company determined that that data had been sold by attackers for bitcoin.

While the exact cause is not yet known, it is becoming increasingly common for cloud environments to have resources that are left wide open due to lack of passwords, or some other lax security practices. In the Chtrbox case, as is the case with many of these cases, the company is not made aware of the issue until notified by a third-party. These organizations are not applying any security and/or compliance monitoring, breach detection, nor anomaly awareness.

Organizations that run workloads in the cloud move fast, from development to runtime. The entire nature of their infrastructure is predicated upon being able to rapidly spin up new instances of computing and storage capabilities to meet the needs of their business and technology demands. But moving fast sometimes comes at the cost of neglecting security best practices like demanding passwords for resources, requiring multi-factor authentication (MFA), not rotating keys regularly, neglecting the principle of least privilege, or a host of other key practices that should be gospel.

It’s also critical that organizations have insight into their cloud accounts and workloads and container infrastructure. Without insight, the organization is prone to information gaps that prevent their ability to detect misconfigurations, policies not being enforced, or other issues that could easily lead to a breach.

The solution to these potential gaps in cloud security is one that monitors and logs all inter-process activities, even those occurring inside the same file. You need a host-based intrusion detection system designed to monitor process hierarchy, process and machine communications, any changes in user privileges, internal and external data transfers, and all other cloud activity. An effective system looks across all layers, and it analyzes activity based on normalized behavior, which gives a continuous real-time view even across short-lived services that may only exist for a few minutes. Having that process-to-process visibility is a critical factor in having strong, effective security built into any cloud environment.