According to the researcher, the private information of Instagram users was just a DM away as a Facebook bug exposed the private data of Instagram users, including their email addresses and birthdays. Ironically, the service promises users that such information won’t be disclosed to the public at the time of registration.
The bug made it easy for an attacker to get such private information from Instagram users. However, it is worth noting that the bug existed in Facebook’s Business Suite tool available for Facebook business accounts and offered access to a feature that the company was testing.
The experimental feature aimed to link a Facebook account to Instagram so that the suite displayed more information about the person and a DM (direct message) option, such as their birthdate and personal email address.
The attack worked on accounts that were set as private and didn’t receive DM messages from the public. Such accounts could not receive a notification if their profile were viewed.
A Facebook spokesperson revealed in an official statement bug was active for a short while during an experiment conducted in October. After the bug was fixed, Facebook allowed the researcher to disclose its details. This however is not the first time when critical bugs in Facebook-owned Instagram. Instagram kept deleted messages and pictures of users on its servers for more than a year. The company claimed that the reported content was retained due to a bug.