Bitglass, the next-generation cloud access security broker, has commented on the recent Instagram vulnerability and warned companies that they cannot rely on others to find their security issues, and must take a more proactive approach to defending user data.
Instagram’s parent company Facebook has confirmed that a newly discovered security vulnerability may have put data at risk, leaving users open to attack by threat actors. When individuals create user profiles for a service, they trust that their personally identifiable information (PII) will be kept secure.
A security researcher ran tests on the platform and successfully retrieved ‘secure’ user data. This data included users’ real names, Instagram account numbers and handles, and full phone numbers. The linking of this data is all an attacker would need to target those users. Facebook has since made changes to Instagram to protect its users.
More information can be seen here.
Anurag Kahol, CTO Bitglass, comments: “There is an important distinction between what a user chooses to make public, such as a unique handle or username, and the personally identifiable information (PII) that they use to create accounts.
“When individuals make user profiles for any given service, they trust that their PII will be kept secure. While Instagram exposed users’ passwords a little less than a year ago, it appears that the company did not sufficiently learn its lesson. Instagram is now reported as having left names, account numbers, and phone numbers exposed, as well.
“While there are no signs that credentials were leaked or data was stolen by hackers, users could have had their accounts and information exposed if a researcher hadn’t found the issue and intervened. Companies cannot rely on others to find their security issues and instead must take a more proactive approach to defending user data.
“Organisations that have complete visibility and control over their data are in a better position to identify and remediate vulnerabilities that could be exploited by malicious actors. The days of reactive security have passed – real-time protections are now absolutely critical.”