Until recently, a security vulnerability in the social media platform Instagram, allowed Hyp3r to illicitly harvest millions of Instagram users’ data and track their locations.
In a similar manner to the Cambridge Analytica scandal that plagued Facebook following the 2016 US presidential election, this latest example of Hyp3r’s mass data collection was discovered through a journalistic investigation and was not uncovered by the social media platform.
Hyp3r used locations ‘tagged’ in the Instagram Story’s of users with public profiles as data points. When other users ‘tagged’ the Hyp3r-monitored locations, the platform would harvest that data. This information, along with data on user biographies, images, locations and interests, was compiled to generate detailed profiles. It is estimated that at least 1 million posts per month were processed by Hyp3r.
In response to Hyp3r’s activities, Instagram is launching a Data Abuse Bounty Program similar to the one operated for the Facebook platform. The program rewards external experts in the form of cash bounties, for spotting instances where users’ data is being misappropriated.
Not uncommon in the tech industry, bounty programs are one way that companies are attempting to probe their systems for flaws. The very existence of bounty programs perhaps suggests that these multi-billion dollar platforms do not have the internal capabilities to combat the defects in their own security systems. Coupled with the fact that not every platform will have the resources to host such reward-driven programs, it is not clear that such programs, which are reliant on external third party experts, are enough to combat the ever increasing number of actors seeking to misappropriate individuals’ personal information.