A bug in Instagram allowed hackers to obtain access to phone numbers and email addresses of high-profile user accounts. The bug was part of Instagram's application programming interface (API) which is used to communicate with other apps.
It might explain the hack of singer-actress Selena Gomez's account from earlier this week, which was followed by nude pictures of her ex-boyfriend Justin Bieber from 2015.
“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API,” the company said in a statement. “No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.”
For what it's worth, Instagram does have support for two-factor authentication, though it remains unclear if the affected accounts had it enabled, or whether it was somehow bypassed by the hackers. On its help site, Instagram’s security tips for keeping accounts safe include using a strong password, changing the password regularly, and using two-factor authentication (which requires entry of a code sent via text message to verify a user’s identity) for additional account security.