At first glance, the Instagram security bug that was exploited to obtain celebrities' phone numbers and e-mail addresses appeared to be limited, possibly to a small number of celebrity accounts. Now a database of 10,000 credentials published online Thursday night suggests the breach is much biggerThe database was provided by someone who e-mailed in response to Thursday's story, mentioned above, about the Instagram breach. The sender said he was able to scrape personal data belonging to 6 million users and was selling the data in a searchable website for $10 per query. The person provided a sample of 10,000 of those records.
While Instagram has yet to confirm the authenticity of the sample, an analysis by Ars and security researcher Troy Hunt, maintainer of the Have I been Pwnd breach notification service, all but concludes it's legitimate. To protect potentially affected end users, Ars isn't publishing the sites hosting the sale of the purported 6 million records or the sample, which was freely available when this post was going live.
Of the 10,000-records in the sample, 9,911 of them include either a phone number or e-mail. 5,341 include a phone number, and 4,341 include a phone number and e-mail. The data clearly isn't thrown together