DoxaGram: Instagram API used to Extract Millions of User Information
By Justin Cobbs on September 14, 2017
Ido Naor, a researcher for Kaspersky Lab, reported to Instagram on August 31 that there was a bug in Intagram’s API password reset section. There were approximately a total of 6 million “‘high-profile'” accounts that had their personal phone numbers and email addresses stolen. These accounts include celebrities such as: Taylor Swift, Lenonardo DiCaprio, and Floyd Mayweather.
To mitigate the effects of this exposure of information, Mike Krieger, the Co-Founder and Chief Technical Officer of Instagram posted an alert on September 1, 2017. He suggested that potentially affected people should “be extra vigilant” and be cautious of texts, emails, and calls from unknown numbers. Mike also mentioned that “No passwords or other Instagram activity was revealed” and that only their email address and phone numbers were breached – regardless of their settings being set to private. The bug was reported to have been patched on August 30, 2017 shortly after Instagram learned of the vulnerability.
Facebook has even been registering DoxAGram domains in their name in an attempt to keep the hackers offline. They hope that by taking all of the domain names representing their hacking brand, the hackers will have a difficult time gaining a profit from sell the personal information.
Shortly after the hackers posted information on around 1,000 celebrities to TheDailyBeast, they created a database, dubbed DoxAGram, that provided celebrity phone numbers and email addresses for a fee of $10 in bitcoin for each record or $5,000 for the entire database. DoxAGram was accessible on the Internet and is probably still accessible via the Tor Browser. The database was taken offline on Friday, September 1, 2017, then brought back online on the following Monday. Those hosting DoxAGram claimed that they were legally selling the information as a data broker.
A Saudi Arabian hacker by the name of _1337r00t has even published source code on GitHub illustrating how to exploit the phone numbers and email addresses of Instagram users by exploiting Instagram’s API password reset. _1337r00t also provides a sample of the hacked accounts at http://1337leaks.info/leaked/?leak=instagram.
Sources
http://www.securityweek.com/hackers-sell-celebrity-info-obtained-instagram-hack
https://twitter.com/search?q=%23DoxAGram&lang=en
http://www.thedailybeast.com/hackers-make-searchable-database-to-dox-instagram-celebs
https://www.theverge.com/2017/9/1/16244304/instagram-hack-api-bug-doxagram-selena-gomez
https://bgr.com/2017/09/04/instagram-hack-6-million-accounts-doxagram/
-
CrushFTP CVE-2025-31161 Vulnerability
CrushFTP CVE-2025-31161 Vulnerability
4/11/2025 -
Active Exploitation of Apache Tomcat CVE-2025-24813 Vulnerability
Active Exploitation of Apache Tomcat CVE-2025-24813 Vulnerability
4/4/2025 -
Next.js Middleware CVE-2025-29927 Vulnerability
Next.js Middleware CVE-2025-29927 Vulnerability
4/4/2025