An extensive new report from Business Insider today details how the marketing startup Hyp3r was able to use Instagram loopholes to garner an incredible amount of information about users. Hyp3r took advantage of “a combination of configuration errors and lax oversight by Instagram” to build “detailed profiles of people’s movements and interests.”
Ecobee HomeKit Thermostat
Hyp3r describes itself as a “location-based marketing platform.” This means that its primary focus is on tracking social media posts that include location data. Once it collects datasets of users, it lets its own customers target those users with relevant advertisements.
In simpler terms: Hyp3r is a marketing company that tracks social-media posts tagged with real-world locations. It then lets its customers directly interact with those posts via its tools and uses that data to target the social-media users with relevant advertisements. Someone who visits a hotel and posts a selfie there might later be targeted with pitches from one of the hotel’s competitors, for example.
Today’s report explains that Hyp3r used four key tools to scrape data from Instagram users. First, it utilized an Instagram security hole that allowed it to “zero in on specific locations” and collect all the posts made from those locations. Second, Hyp3r “systematically saved users’ public Instagram stories,” again utilizing that location data. Third, it “scraped public user profiles on a broad basis, collecting information like user bios and followers, which it then combined with the other location information.”
Lastly, Hyp3r used image recognition software on user posts to analyze that the images included. The result was a database detailing a plethora of information about Instagram users:
The result of the public information it gleaned was a sophisticated database about Instagram users, their interests, and their movements that Hyp3r openly touted to customers as one of its key selling points, despite the fact that Instagram’s policies were structured so that such a thing would not be possible.
In a statement, Instagram said that it has both removed Hyp3r from its platform and made changes to prevent this situation from occurring again:
“HYP3R’s actions were not sanctioned and violate our policies. As a result, we’ve removed them from our platform. We’ve also made a product change that should help prevent other companies from scraping public location pages in this way,” a spokesperson said in a statement.
The full report from Business Insider is absolutely worth a read and can be found here.