On Thursday, hackers launched a searchable database of email addresses and phone numbers for a slew of high-profile Instagram accounts, as The Daily Beast first reported. Soccer star Cristiano Ronaldo, the official POTUS Instagram, and several pop stars are all among the affected users, and the hackers’ site, dubbed “Doxagram,” also hosts details on more ordinary Instagram accounts. In all, the hackers claim to have information on over 6 million users.
It looks like Instagram is fighting back.
Along with its parent company Facebook, Instagram has seemingly registered hundreds of different Doxagram domains, according to online records. The tactic is likely an attempt to force the hackers’ website offline, or at least make spreading the exposed data more difficult, with Instagram essentially wrestling control over any relevant domains before the hackers can. This way, when one domain company cuts off service to the hackers, they’ll have fewer options for making websites with the Doxagram brand—without a domain that explicitly includes “Doxagram,” such as doxagram.org, those hoping to dig through celebrities’ Instagram data may have a harder time finding the site.
At the end of August, Instagram announced it had fixed a vulnerability which allowed attackers to obtain the email address and phone number of users—data that was typically private. But for many users, the fix came too late; hackers had already used it to harvest details on allegedly millions of accounts, and subsequently listed it on Doxagram for $10 a record.
Originally, the hackers behind Doxagram used a .com domain, but the company controlling it booted the hackers, one of the people behind Doxagram told The Daily Beast on Monday. The site moved to a .ws domain, before being kicked off that one as well.
“Apparently Facebook complained about us selling ‘stolen’ information,” the person said. (The person proved they were affiliated with the hackers by adding a page to the Doxagram site printing their online chat account; they did not provide a name.)
Meanwhile, Instagram has seemingly purchased at least 280 domains, including doxagram.lol, .website, and .org, according to records maintained by online service Passive Total. The domains list a Facebook email address as the point of contact, and “Instagram LLC” as the domain administrator.
The domain registrar itself is Mark Monitor, a company that specializes in protecting brands and intellectual property online and which offers a “Domain Management” service, according to the firm’s website. Mark Monitor did not respond to a request for comment.
Despite Instagram’s apparent efforts, grabbing as many related domains as possible may do little to stop the flow of this data. Not only do over 1,500 different types of domains exist, the people behind Doxagram have also launched a dark web version of their website.
A dark web site, or more specifically a hidden service, is a site that uses a network and piece of software called Tor. These websites can hide the location of their servers, making it more difficult for law enforcement or victims to know where to send any take-down requests or complaints. Drug dealers and child abusers regularly use dark web sites to distribute their material; others use Tor for legal purposes. (The normal version of the Doxagram site is protected by services from internet security firm Cloudflare, which also obscures the location of the site’s servers.)
On top of hiding their infrastructure, the dark web does not require a company such as Google or GoDaddy to provide a domain for the owner of a website. Instead, admins can create and manage their own.
“It’s a bit odd,” the person behind Doxagram said referring to Instagram’s reaction. The person didn’t think Instagram’s approach would have an effect on Doxagram’s operations.
At the time of writing, a normal web version of Doxagram as well as its dark web equivalent are both up and running. The Doxagram administrator who spoke to The Daily Beast claims that the site has made over $4,100 so far.
“I’m pretty satisfied, especially considering most of it was over the weekend,” they said.
Neither Facebook or Instagram immediately responded to emailed questions on Monday, but an Instagram spokesperson previously told The Daily Beast in a statement, “We now also know that some individuals are attempting to sell the contact information that was obtained. We take people’s security very seriously and are working closely with law enforcement on this matter. We encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails.”
In a blog post published Friday, Instagram’s chief technology officer and co-founder Mike Krieger wrote, “We are very sorry this happened.”