Instagram fixes API blamed for celebrity data leaks

Facebook-owned photo-sharing service Instagram has fixed a flaw in its application programming interface (API) exploited by hackers to access user details.

The company said in a statement that “a number of” celebrities’ phone number and email addresses had been accessed by “one or more” hackers exploiting a flaw in its API.

All those account holders affected by the security breach have been notified by email, the company said. However, Instagram declined to say how many people had been affected, and declined to comment on individual accounts, according to CNN.

Instagram said no passwords had been stolen, but urged users to look out for any suspicious activity on their accounts and be “extra vigilant” about unexpected phone calls, texts and emails as they could be from scammers using the stolen data.

Instagram claims to have more than 500 million users, with around 300 million using the service at least once a day.

APIs provide easy access to data that enables rich and dynamic user experiences and interoperability with third-party apps, but security professionals have long warned of the risks of not ensuring that APIs are secure.

According to security firm Distil Networks, 21% of APIs still go live without any input from security professionals, often providing opportunities for cyber attackers.

“APIs impact business and the world around us more than most people realise. The fact that API security is flying under the radar and not being adequately addressed should be a red flag prompting organisations to examine their own practices,” said Rami Essaid, CEO and co-founder of Distil Networks.

“CIOs and CISOs need to get a handle on how responsibility is addressed in their organisations and decide whether the process is sufficiently robust,” he said.

Speaking to Computer Weekly at the Black Hat conference, Dan Kuykendall, senior director of application security products at Rapid7, said there was a growing gap in what security people with non-programming backgrounds understand and can handle, and what developers understand about the security risks.

“Most of those in security are struggling because they have never been programmers and, at the same time, developers do not fully understand all the security issues,” he said, adding that the problem was being exacerbated by the increasing use of APIs. 

Companies are exposing APIs for business reasons such as enabling customers to place orders, but Kuykendall said many of these are still not being security tested.

“Companies are running headlong into this major ecosystem, particularly when it comes to mobile apps, and it is like the web in the late 1990s all over again where development is happening at a rapid pace without enough attention to security,” he said.

Businesses of all descriptions have a responsibility to invest in robust security software to defend precious customer and employee data, said Paul Cant, vice-president for Europe at BMC Software.

“In this instance, as the hack arose due to a software bug, and given the high-profile nature of the individuals targeted, both users of and social media platforms themselves must exercise extreme vigilance,” he said.

As accountability in security operations teams and the pressure to identify and deal with vulnerabilities has increased, Cant said companies must be versatile enough to adapt their cyber security strategies to ever-evolving digital threats.

“It is critical that an enterprise wide culture of security that includes key stakeholders exists to mitigate any ‘weak link’ security gaps,” he said.