Millions of Instagram influencers had their contact data scraped and exposed

A massive database containing contact information of millions of Instagram influencers, celebrities, and brand accounts has been found online.

The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records — but was growing by the hour.

From a brief review of the data, each record contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified, and their location by city and country, but also contained their private contact information, such as the Instagram account owner’s email address and phone number.

Security researcher Anurag Sen discovered the database and alerted TechCrunch in an effort to find the owner and get the database secured. We traced the database back to Mumbai-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts. Each record in the database contained a record that calculated the worth of each account, based off the number of followers, engagement, reach, likes and shares they had. This was used as a metric to determine how much the company could pay an Instagram celebrity or influencer to post an ad.

TechCrunch found several high-profile influencers in the exposed database, including prominent food bloggers, celebrities and other social media influencers.

We contacted several people at random whose information was found in the database and provided them their phone numbers. Two of the people responded and confirmed their email address and phone number found in the database was used to set up their Instagram accounts. Neither had any involvement with Chtrbox, they said.

Shortly after we reached out, Chtrbox pulled the database offline. Pranay Swarup, the company’s founder and chief executive, did not respond to a request for comment and several questions, including how the company obtained private Instagram account email addresses and phone numbers.

The scraping effort comes two years after Instagram admitted a security bug in its developer API allowed hackers to scrape the email addresses and phone numbers of six million Instagram accounts. The hackers later sold the data for bitcoin.

Months later, Instagram — now with more than a billion users — choked its API to limit the number of requests apps and developers can make on the platform.

A spokesperson for Facebook, which owns Instagram, said it was looking into the matter. “Scraping data of any kind is prohibited on Instagram,” said the spokesperson. “We’re investigating how and what data was obtained and will share an update soon.”

Google’s own data proves two-factor is the best defense against most account hacks

Every once in a while someone will ask me what is the best security advice.

The long answer is “it depends on your threat model,” which is just a fancy way of saying what’s good security advice for the vast majority isn’t necessarily what nuclear scientists and government spies require.

My short answer is, “turn on two-factor.” Yet, nobody believes me.

Ask almost any cybersecurity professional and it’ll likely rank as more important as using unique or strong passwords. Two-factor, which adds an additional step in your usual log-in process by sending a unique code to a device you own, is the greatest defense between a hacker and your online account data.

But don’t take my word for it. Google data out this week shows how valuable even the weakest, simplest form of two-factor can be against attacks.

The research, with help from New York University and the University of California, San Diego, shows that any device-based challenge — such as a text message or an on-device prompt — can in nearly every case prevent the most common kind of mass-scale attacks.

Google’s data showed having a text message sent to a person’s phone prevented 100 percent of automated bot attacks that use stolen lists of passwords against login pages and 96 percent of phishing attacks that try to steal your password.

Account takeover preventing rates by challenge type. (Image: Google)

Not all two-factor options are created equal. We’ve explained before that two-factor codes sent by text message can be intercepted by semi-skilled hackers, but it’s still better than not using two-factor at all. Its next best replacement, getting a two-factor code through an authenticator app on your phone, is far more secure.

Only a security key, designed to protect the most sensitive accounts, prevented both automated bot and phishing attacks but also highly targeted attackers, typically associated with nation states. Just one in a million users face targeted attackers, Google said.

For everyone else, adding a phone number to your account and getting even the most basic two-factor set up is better than nothing. Better yet, go all in and shoot for the app.

Your non-breached online accounts will thank you.

‘Crypto exchange’ Goxtrade caught using other people’s photos on its staff page

Alleged cryptocurrency exchange Goxtrade bills itself as a “trusted platform for trading bitcoins,” but its staff page is filled with photos of people of pulled seemingly at random from the internet.

The alleged exchange, which claimed to debut in 2017 yet its website is only a little more than a week old, used photos taken from social media profiles and other company websites not associated with the company.

Bizarrely, the alleged exchange didn’t bother to change all of the names of the people whose photos it used.

Amber Baldet, co-founder of Clovyr, a prominent figure in the blockchain community, and listed in Fortune’s ’40 Under 40′, was one of the people whose name and photos appeared on the site.

“Fraud alert: I am not a developer at Goxtrade and probably their entire business is a lie,” she tweeted Friday.

Nearly all of the names are accurate but have no connection to the site. (Image: TechCrunch)

Goxtrade claims to be an exchange that lets users “receive, send and trade cryptocurrency.” After we created an account and signed in, it’s not clear if the site even works. But the online chat room has hundreds of messages of users trying to trade their cryptocurrencies. The site’s name appears to associate closely with Mt. Gox, a failed cryptocurrency exchange that collapsed after it was hacked. At its 2014 peak, the exchange handled more than 70 percent of all bitcoin transactions. More than $450 million in bitcoins were stolen in the apparent breach.

Baldet isn’t the only person wrongly associated with the suspect site.

TechCrunch has confirmed the other photos on the site belong to other people seemingly chosen at random — including a claims specialist in Illinois, a lawyer in Germany, and an operations manager in Melbourne.

Another person whose photo was used without permission is Tom Blomfield, chief executive of digital bank Monzo. In a tweet, Blomfield — who was listed on the alleged exchange as “Arnold Blomfield” — said his legal team has filed complaints with the site’s hosts.

But things get weirder than just stolen staff photos.

Hours after the site was first flagged, Cloudflare now warns users that the alleged exchange is a suspected phishing site. (Image: TechCrunch)

GoxTrade lists its registered address as Heron Tower, one of the new skyscrapers in London. We checked the listings and there’s no company listed in the building of the same name. There’s also no mention of Goxtrade in the U.K.’s registry of companies and businesses. When we checked its listed registered number per its terms and conditions page, the listing points to an entirely unrelated clothing company in Birmingham.

Later in the day, networking giant Cloudflare, which provides its service, flagged the site as a phishing site.

We reached out to Goxtrade by email prior to publication but did not hear back. When we checked, Goxtrade’s mail records was pointing to an email address run by Yandex, a Russian internet company.

It’s not the first time a cryptocurrency startup has been called into question for using other people’s photos on their staff pages. After raising more than $830,000, Miroskii was caught listing actor Ryan Gosling as one of its graphic designers. Almost every photo later transpired to have been lifted from another source. The company later claimed it was hacked.

Cryptocurrency-related scams are not rare. Many have taken what they’ve raised and gone dark, never to be seen again. We’ve covered a fair number here on TechCrunch, including a massive $660 million scam from 2018.

A fair warning with Goxtrade: all signs seem to point to yet another scam.

Read more:

After breach, Stack Overflow says some user data exposed

After disclosing a breach earlier this week, Stack Overflow has confirmed some user data was accessed.

In case you missed it, the developer knowledge sharing site confirmed Thursday a breach of its systems last weekend, resulting in unauthorized access to production systems — the front-facing servers that actively power the site. The company gave few details, except that customer data was unaffected by the breach.

Now the company said the intrusion on the website began about a week earlier and “a very small number” of users had some data exposed.

“The intrusion originated on May 5 when a build deployed to the development tier for stackoverflow.com contained a bug, which allowed an attacker to log in to our development tier as well as escalate their access on the production version of stackoverflow.com,” said Mary Ferguson, vice president of engineering.

“This change was quickly identified and we revoked their access network-wide, began investigating the intrusion, and began taking steps to remediate the intrusion,” she said.

Although the user database wasn’t compromised, “we have identified privileged web requests that the attacker made that could have returned IP address, names, or emails” for some users.

The company didn’t immediately quantify how many users were affected. Stack Overflow has 10 million registered users. Spokesperson Khalid El Khatib said “approximately 250 public network users” were affected. Ferguson said affected users will be notified.

Stack Overflow’s teams, business and enterprise customers are on separate, unaffected infrastructure, she said, and there’s “no evidence” that those systems were accessed. The company’s advertising and talent business is said to be unaffected.

In response to the incident, the company terminated the unauthorized access and is conducting an “extensive” audit of its logs to gauge the level of access gained by the attacker.

Read more:

Stack Overflow confirms breach, but customer data said to be unaffected

Developer knowledge sharing site Stack Overflow has confirmed hackers breached its systems, but said customer data is unaffected.

“Over the weekend, there was an attack on Stack Overflow,” wrote Mary Ferguson, vice president of engineering. “We have confirmed that some level of production access was gained on May 11.”

“We discovered and investigated the extent of the access and are addressing all known vulnerabilities,” said Ferguson. “We have not identified any breach of customer or user data,” she said.

An investigation into the breach is ongoing.

The company otherwise remained tightlipped about the breach, its cause, and the effect. We’ve sent several questions to the company but did not immediately hear back.

Stack Overflow, founded in 2008, has more than 50 million developer members who use the site to share code and knowledge. It remains one of the top 50 most popular sites on the web, according to rankings by internet analytics site Alexa. The company is backed by Andreessen Horowitz and Bezos Expeditions, raising $40 million in its most recent Series D funding round in 2015.

Read more:

Boost Mobile says hackers broke into customer accounts

Boost Mobile, a virtual mobile network owned by Sprint, has confirmed hackers have broken into an unknown number of customer accounts.

The company quietly posted a notification of its data breach almost exactly two months after March 14, when Boost said the breach happened.

“Boost.com experienced unauthorized online account activity in which an unauthorized person accessed your account through your Boost phone number and Boost.com PIN code,” said the notification. “The Boost Mobile fraud team discovered the incident and was able to implement a permanent solution to prevent similar unauthorized account activity.”

It’s not known exactly how the hackers obtained customer PINs — or how many Boost customers are affected. The company also notified the California attorney general, which companies are required to do if more than 500 people in the state are affected by the same security incident.

Boost Mobile reportedly had 15 million customers in 2018.

The hackers used those phone numbers and account PINs to break into customer accounts using the company’s website Boost.com, said the notification. These codes can be used to alter account settings. Hackers can automate account logins using lists of exposed usernames and passwords — or in this case phone numbers and PIN codes — in what’s known as a credential stuffing attack.

Boost said it has sent to affected customers a text with a temporary PIN.

A spokesperson for Sprint did not immediately comment. We’ll have more when we get it.

Yes, Americans can opt-out of airport facial recognition. Here’s how

Whether you like it or not, facial recognition tech to check in for your flight will soon be coming to an airport near you.

Over a dozen U.S. airports are already rolling out the technology, with many more to go before the U.S. government hits its target of enrolling the largest 20 airports in the country before 2021.

Facial recognition is highly controversial and has many divided. On the one hand, it reduces paper tickets and meant to be easier for travelers to check in at the airport before their flight. But facial recognition also has technical problems. According to a Homeland Security watchdog, the facial recognition systems used at airports only worked in 85 percent in some cases. Homeland Security said the system is getting better over time and will be up to scratch by the supposed 2021 deadline — even if the watchdog has its doubts.

Many also remain fearful of the privacy and legal concerns. After all, it’s not Customs and Border Protection collecting your facial recognition data directly — it’s the airlines — and they pass it onto the government.

Delta debuted the tech last year, scanning faces before passengers fly. JetBlue also followed suit, and many more airlines are expected to sign up. That data is used to verify boarding passes before travelers get to their gate. But it’s also passed onto Customs and Border Protection to check passengers against their watchlists — and to crack down on those who overstay their visas.

Clearly that’s rattling travelers. In a recent Twitter exchange with JetBlue, the airline said customers are “able to opt out of this procedure.”

That’s technically true, although you might not know it if you’re at one of the many U.S. airports. The Electronic Frontier Foundation found that it’s not easy to opt-out but it is possible.

A sign allowing U.S. citizens to opt-out of facial scans. (Image: Twitter/Juli Lyskawa)

If you’re a U.S. citizen, you can opt out by telling an officer or airline employee at the time of a facial recognition scan. You’ll need your U.S. passport with you — even if you’re flying domestically. Border officials or airline staff will manually check your passport or boarding pass like they would normally do before you’ve boarded a plane.

Be on the lookout for any signs that say you can opt-out, but also be mindful that there may be none at all. You may have to opt-out multiple times from arriving at the airport until you reach your airplane seat.

“It might sound trite, but right now, the key to opting out of face recognition is to be vigilant,” wrote EFF’s Jason Kelley.

Bad news if you’re not an American: you will not be allowed to opt-out.

“Once the biometric exit program is a nationally-scaled, established program, foreign nationals will be required to biometrically confirm their exit from the United States at the final [boarding] point,” said CBP spokesperson Jennifer Gabris in an earlier email to TechCrunch. “This has been and is a Congressional mandate,” she said.

There are a few exceptions, such as Canadian citizens who don’t require a visa to enter the U.S. are exempt, and diplomatic and government visa holders.

Facial recognition data collected by the airlines on U.S. citizens is stored by Customs and Border Protection for between 12 hours and two weeks, and 75 years for non-citizens. That data is stored in several government databases, which border officials can pull up when you’re arriving or leaving the U.S.

Why should you opt-out? As an American, it’s your right to refuse. Homeland Security once said Americans who didn’t want their faces scanned at the airport should “refrain from traveling.” Now all it takes is a “no, thanks.”

Read more:

Two years after WannaCry, a million computers remain at risk

Two years ago today, a powerful ransomware began spreading across the world.

WannaCry spread like wildfire, encrypting hundreds of thousands of computers in over 150 countries in a matter of hours. It was the first time that ransomware, a malware that encrypts a user’s files and demands cryptocurrency in ransom to unlock them, had spread across the world in what looked like a coordinated cyberattack.

Hospitals across the U.K. declared a “major incident” after they were knocked offline by the malware. Government systems, railway networks and private companies were also hit.

Security researchers quickly realized the malware was spreading like a computer worm, across computers and over the network, using the Windows SMB protocol. Suspicion soon fell on a batch of highly classified hacking tools developed by the National Security Agency, which weeks earlier had been been stolen and published online for anyone to use.

“It’s real,” said Kevin Beaumont, a U.K.-based security researcher at the time. “The shit is going to hit the fan big style.”

WannaCry relied on stolen NSA-developed exploits, DoublePulsar and EternalBlue, to hack into Windows PCs and spread through the network. (Image: file photo)

An unknown hacker group — later believed to be working for North Korea — had taken those published NSA cyberweapons and launched their attack — likely not realizing how far the spread would go. The hackers used the NSA’s backdoor, DoublePulsar, to create a persistent backdoor that was used to deliver the WannaCry ransomware. Using the EternalBlue exploit, the ransomware spread to every other unpatched computer on the network.

A single vulnerable and internet-exposed system was enough to wreak havoc.

Microsoft, already aware of the theft of hacking tools targeting its operating systems, had released patches. But consumers and companies alike moved slowly to patch their systems.

In just a few hours, the ransomware had caused billions of dollars in damages. Bitcoin wallets associated with the ransomware were filling up by victims to get their files back — more often than not in vain

Marcus Hutchins, a malware reverse engineer and security researcher, was on vacation when the attack hit. “I picked a hell of a fucking week to take off work,” he tweeted. Cutting his vacation short, he got to work. Using data from his malware tracking system had found what became WannaCry’s kill switch — a domain name embedded in the code, which he registered and immediately saw the number of infections grind to a halt. Hutchins, who pleaded guilty to unrelated computer crimes last month, was hailed a hero for stemming the spread of the attack. Many have called for leniency if not a full presidential pardon for his efforts.

Trust in the intelligence services collapsed overnight. Lawmakers demanded to know how the NSA planned to mop up the hurricane of damage it had caused. It also kicked off a heated debate about how the government hoards vulnerabilities to use as offensive weapons to conduct surveillance or espionage — or when it should disclose bugs to vendors in order to get them fixed.

A month later, the world braced itself for a second round of cyberattacks in what felt like what would soon become the norm.

NotPetya, another ransomware which researchers also found a kill switch for, used the same DoublePulsar and EternalBlue exploits to ravish shipping giants, supermarkets and advertising agencies, which were left reeling from the attacks.

Two years on, the threat posed by the leaked NSA tools remains a concern.

As many as 1.7 million internet-connected endpoints are still vulnerable to the exploits, according to the latest data. Data generated by Shodan, a search engine for exposed databases and devices, puts the figure at the million mark — with most of the vulnerable devices in the U.S. But that only accounts for devices directly connected to the internet and not the potentially millions more devices connected to those infected servers. The number of vulnerable devices is likely significantly higher.

More than 400,000 exposed systems in the U.S. alone can be exploited using NSA’s stolen hacking tools. (Image: Shodan)

WannaCry continues to spread and occasionally still infects its targets. Beaumont said in a tweet Sunday that the ransomware remains largely neutered, unable to unpack and begin encrypting data, for reasons that remain a mystery.

But the exposed NSA tools, which remain at large and able to infect vulnerable computers, continue to be used to deliver all sorts of malware — and new victims continue to appear.

Just weeks before city of Atlanta was hit by ransomware, cybersecurity expert Jake Williams found its networks had been infected by the NSA tools. More recently, the NSA tools have been repurposed to infect networks with cryptocurrency mining code to generate money from the vast pools of processing power. Others have used the exploits to covertly ensnare thousands of computers to harness their bandwidth to launch distributed denial-of-service attacks by pummeling other systems with massive amounts of internet traffic.

WannaCry caused panic. Systems were down, data was lost, and money had to be spent. It was a wakeup call that society needed to do better at basic cybersecurity.

But with a million-plus unpatched devices still at risk, there remains ample opportunity for further abuse. What we may not have forgotten two years on, clearly more can be done to learn from the failings of the past.

Read more:

‘Unhackable’ encrypted flash drive eyeDisk is, as it happens, hackable

In security, nothing is “unhackable.” When it’s claimed, security researchers see nothing more than a challenge.

Enter the latest findings from Pen Test Partners, a U.K.-based cybersecurity firm. Their latest project was ripping apart the “unhackable” eyeDisk, an allegedly secure USB flash drive that uses iris recognition to unlock and decrypt the device.

eyeDisk raised over $21,000 in its Kickstarter campaign last year and began shipping devices in March.

There’s just one problem: it’s anything but “unhackable.”

Pen Test Partners researcher David Lodge found the device’s backup password — to access data in the event of device failure or a sudden eye-gouging accident — could be easily obtained using a software tool able to sniff USB device traffic.

The secret password — “SecretPass” — can be seen in plaintext. (Image: Pen Test Partners)

“That string in red, that’s the password I set on the device. In the clear. Across an easy to sniff bus,” he said in a blog post detailing his findings. The password is

Worse, he said, the device’s real password can be picked up even when the wrong password has been entered. Lodge explained this as the device revealing its password first, then validating it against whatever password the user submitted before the unlock password is sent.

Lodge said anyone using one of these devices should use additional encryption on the device.

The researcher disclosed the flaw to eyeDisk, which promised a fix, but has yet to release it. eyeDisk did not return a request for comment.

Flaws in a popular GPS tracker leak real-time locations and can remotely activate its microphone

A popular GPS tracker — used as a panic alarm for elderly patients, to monitor kids, and track vehicles — contains security flaws, which security researchers say are so severe the device should be recalled.

The Chinese manufactured white-label location tracker, rebranded and sold by over a dozen companies — including Pebbell by HoIP Telecom, OwnFone Footprint, and SureSafeGo — uses a SIM card to connect to the 2G/GPRS cell network. Although none of the devices have internet connectivity and won’t be found on exposed device database sites like Shodan, they can still be remotely accessed and controlled by SMS.

Researchers at U.K. cybersecurity firm Fidus Information Security say the device can be tricked into turning over its real-time location simply by anyone sending it a text message with a  keyword. Through another command, anyone can call the device and remotely listen in to its in-built microphone without alerting anyone.

Another command can remotely kill the cell signal altogether, rendering the device effectively useless.

Although the device can be protected with a PIN, it’s not enabled by default. Worse, the researchers found the device can be remotely reset without needing a PIN — opening up the device to further commands.

“This device is marketed at keeping the most vulnerable safe and yet anybody can locate and listen into thousands of people’s lives without their knowledge,” said Fidus’ Andrew Mabbitt, who wrote up the team’s findings. “This day and age, everything is connected one way or another and we seem to be leaving security behind; this isn’t going to end well.”

An attacker only requires the phone number of the device, Mabbitt told TechCrunch. His team showed it was easy to extrapolate hundreds of working phone numbers connected to vulnerable devices based off a single known device. “We made the assumption that these numbers were purchased in a batch,” said the team’s write-up.

The team bought a device and allowed TechCrunch to verify their findings. With a single command, we got a text message back in seconds with the precise co-ordinates of its location. We could also pull other information from the device, including its IMEI number and battery level.

The phone call trick, which Mabbitt called a “glorified wiretap,” also worked.

One text message to a vulnerable device, bought by the security researchers, allowed us to remotely grab its real-time coordinates. The geolocation was precise to a few meters. (Image: TechCrunch)

There are an estimated 10,000 devices are in the U.K. — and thousands more around the world. The team told several of the device makers of the flaws, but Mabbitt said there’s no way to fix the vulnerabilities without recalling every device.

“Fixing this broken security would be trivial,” said the team. “All they needed to do was print a unique code on each pendant and require that to be used to change configurations. The location and call functions could be locked down to calls and texts only from those numbers previously programmed in as emergency contacts.”

The U.K. just last week announced a proposed new cybersecurity law that would require connected devices to be sold with a unique password, and not a default.

None of the device sellers we contacted responded to a request for comment.

Read more: