Thursday, 22 August 2019
Latest news
Main » Instagram Security Flaw Allowed Marketing Firm Collect Users' Personal Data

Instagram Security Flaw Allowed Marketing Firm Collect Users' Personal Data

11 August 2019

Today, reports surfaced that a Facebook third-party marketing partner, Hyp3r, collected public Instagram user data that was meant to disappear after 24 hours over the course of a year.

According to the non-profit group Public Knowledge, Hyp3r collected public records of Instagram users' geolocation, personal bios, followers, metadata and photos - all without users' consent. It also saved public Stories - viewing them beyond the 24-hour mark where they're supposed to expire - and scraped user profile data.

On detecting foul play, Instagram sent a cease-and-desist letter to Hyp3r, CNET reported on Wednesday. After this, Hyp3r publicly welcomed Instagram's API changes.

Hyp3r didn't immediately respond to a request for comment and denied breaking Instagram's rules to Business Insider.

An investigation from Business Insider has uncovered how a San Francisco tech company used Instagram to collect the information of millions of users before offering it to clients as a marketing tool. Still, HYP3R was able to exploit Instagram users' data for months without detection, creating a database that would come in handy for a self-proclaimed "location-based marketing platform".

But, HYP3R - which describes itself as a "location-based marketing platform that helps business unlock geosocial data" - told Business Insider it did not break any rules in the way it gathered data. While Instagram has banned the HYP3R agency from its platform, it could not save the data collected by them over the past year.

What's more: HYP3R was featured on Facebook's rather exclusive list of Facebook Marketing Partners, which is a directory of supposedly vetted companies that "can give you superior insights and data for better marketing decisions".

Hyp3r said it complied with privacy regulations and the terms of service for the social networks it targeted.

We do not view any content or information that can not be accessed publicly by everyone online, he added. The Hyp3r and their advisors contact the Facebook staff for scheduling meetings with the social network.

There is no information on the number of users affected by the data theft, but the company is still investigating the matter.

The result of the public data it gleaned was a sophisticated database about Instagram customers, their interests, and their actions that Hyp3r openly touted to customers as one of its key selling factors, even if Instagram's policies have been structured so that such a thing wouldn't be possible.

Instagram Security Flaw Allowed Marketing Firm Collect Users' Personal Data