Instagram let the public know about an issue that was patched in March, which exposed contact information for millions of users. This was going on since October, and was only fixed in March. Now, nearly two months later, Instagram is finally telling everyone about it.
The information that was leaked included email address, phone numbers and corresponding names.
The issue was reported to Instagram back in February and patched in March. The bright side of this issue, is the fact that this is information that is likely already available all over the internet for most people. It could have been much worse, and could have leaked things like your address and more sensitive information. Though your phone number is pretty sensitive already.
An Indian marketing company called Chtrbox, actually made a database of all of this information. Which means that everyone that was exposed, will likely be getting some spam from this company. Which is really rather unfortunate. And it's pretty likely that other companies have also created databases with all of this information. All thanks to Facebook continuing to be careless about our data.
This is just the latest in a long string of security fails by Facebook, and its family of apps (including Messenger, Instagram and WhatsApp). None of this should come as a surprise at this point, as Facebook has demonstrated time and time again that it simply does not care about its user's data. And that doesn't seem to be changing anytime soon either.
Unlike some of the exploits that Google found with its social network, Google+, it does look like there were some people out there collecting all of this data. With Google+, it didn't appear that anyone was able to scrape that data, though most of it was also only available to those that had developer accounts with Google. So it wasn't quite out in the open like Instagram's exploit was.
The good thing is that this exploit has been patched, though it was available for a good five months, which is rather insane for Instagram. Now it is possible that Instagram did not know about this exploit until it was discovered and reported in February. Instagram was pretty quick at getting it patched, which is good news. Now the time between it being patched and being announced, is not too crazy. These things typically don't get announced for a few months, after it has been patched. Companies also don't say that there was an exploit before it is patched, as that could lead to many more issues.
As mentioned, the data that leaked out from Instagram could have been far worse - like your likes on Instagram. But your phone number is still pretty sensitive. Of course, it is needed to have your phone number on your account so you can use two factor authentication. So you can't exactly remove it from your account - well you can, but there wouldn't be any more two-factor authentication, making this a much less secure account.
For users, there's nothing that needs to be done. But if you are worried, you can change your password on your account.