Instagram warns users of API bug on heels of nude Bieber photos leak

Instagram’s API sprung a leak, with attackers snatching email addresses and phone numbers of “high-profile” users.

We don’t know who those high-profile users are, but we do know, as Variety reports, that somebody posted nude photos of Justin Bieber on to Selena Gomez’s Instagram account on Monday.

Bare Bieber photos weren’t up for long: within minutes, the account was offline, photos from (former couple) Gomez and Bieber’s 2015 vacation in Bora Bora were deleted, the account was re-secured, and back up it went.

Was it due to hackers exploiting what Instagram said was “a bug” in its API? Or just a coincidence? We can’t say. The two could be completely unrelated: after all, much, if not all, of the nude celebrities photo grabs of Celebgate versions 1, 2 and 3 were enabled by attackers phishing login credentials to iCloud and Google email accounts.

Or then again, it could be that the Instagram attacker did in fact exploit the flaw in the social media app’s API to peek at users’ profile information. As The Register notes, the API lets developers see profile information. That’s why Instagram and Facebook both changed their terms of service in March: to turn off the data spigot for developers who were mining the platforms for surveillance purposes.

At any rate, Instagram wasn’t forthcoming with details. But here’s what it did say in a statement sent to the New York Daily News:

We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information – specifically email address and phone number – by exploiting a bug in an Instagram API.

A source told the Daily News that one person found the API bug and used it to steal information.

Instagram says that it’s warned all of its verified users about the hack. It declined to say how many accounts were affected.

Censored versions of Bieber’s photos initially appeared in the Daily News, but the Full Monty versions later made their way online, Variety reports. This isn’t the first time his nude photos have been stolen. When it happened in 2015, also while he was on vacation in Bora Bora, he told Access Hollywood that it was a violation:

My first thing was like…how can they do this? Like, I feel super violated.

I’m not a Belieber, but I do beliebe he’s right: it is a violation when thieves get their grubby mitts on our intimate photos. Here are some ways to keep it from happening:

  • Don’t click on links in email and thus get your login credentials phished away. If you really think your ISP, for example, might be trying to contact you, rather than clicking on the email link, get in touch by typing in the URL for its website and contacting the company via a phone number or email you find there.
  • Use strong passwords.
  • Lock down privacy settings on social media (here’s how to do it on Facebook, for example).
  • Don’t add people on social media you haven’t met in real life, and don’t share photos with people you don’t know and trust. For that matter, be careful of those who you consider your “friends”. This isn’t the first time that Instagram content has been grabbed: one example of creeps posing as friends can be found on the creepshot sharing site Anon-IB, where users have posted images they say they took from Instagram feeds of “a friend”.
  • Use multifactor authentication (MFA) whenever possible. MFA means you need a one-time login code, as well as your username and password, every time you log in. That’s one more thing attackers need to figure out every time they try to phish you.