Data scientist and business consultant David Stier has claimed that Instagram website leaked sensitive user information, including phone numbers and email addresses, for millions of accounts over a period of at least four months, CNET is reporting.
According to Stier, who notified Instagram shortly after discovering the flaw, the source code for some Instagram user profiles included the account holder’s contact information whenever it loaded in a web browser.
By looking at the archived versions of Instagram profiles, Stier said he found evidence that the phone numbers and emails had been in the source code since at least October. The exposure, he said, appeared to include contact information for thousands of accounts, belonging to private individuals, businesses, and brands:
The contact information wasn’t displayed on the account holder’s profiles on the desktop version of the Instagram website, although it was used by the photo-sharing site’s app for communication. It isn’t clear why the information was included in the website’s source code.
Including the information in the source code could let hackers scrape the data from the Instagram website, allowing them to assemble a virtual phone book that lists the contact details of thousands of Instagram users.
On Wednesday, Instagram said it was investigating Stier’s report of leaky code, although it declined to issue any further comment on the matter.