Facebook is investigating a major
data breach that leaked personal information of 49 million Instagram users, writes
TechCrunch
after it received and analyzed the data from security researcher
Anurag Sen.

The unsecured database, hosted by
Amazon Web Services, contained personally identifiable information such as
email addresses and phone numbers, as well as user location, number of
followers, profile picture and description, likes and shares. TechCrunch traced
it back to a social media company based in India named Chtrbox.

What’s more, because Chtrbox helps
companies grow their audience by connecting them with influencers for paid
posts, many accounts leaked belong to famous influencers, brands, food bloggers
and celebrities, TechCrunch writes.

Even though the company conducts
its business in India, it held data of users from other countries, which could
lead to issues with international data privacy regulations, such as GDPR in the
case of EU residents.

In a public statement on its website, Chtrbox writes “the reports are inaccurate” because they never had more than 350,000 influencers.

“This particular database of limited influencers was inadvertently left unsecured for approximately 72 hours,” it further states. “As soon as we discovered the database vulnerability, we took immediate corrective action to secure the limited exposure.”

 “We’re looking into the issue to understand if
the data described – including email and phone numbers – was from Instagram or
from other sources,” reads a statement from Facebook. “We’re also inquiring
with Chtrbox to understand where this data came from and how it became publicly
available.”