A bug that exposed users’ contact information affected a far greater number of accounts than Instagram originally said. The bug, which appears to have been responsible for Selena Gomez’s account being hacked this week, allowed hackers to scrape email addresses and contact information for millions of accounts, Instagram said today. (It has since been fixed.) While the company first said the hack was limited to holders of verified accounts, it said today that non-verified users had been affected as well.

Hours after the hack was disclosed, hackers established a searchable database named Doxagram allowing users to search for victims’ contact information for $10 per search. The hacker provided a list of 1,000 accounts they said were available for searching on Doxagram to the Daily Beast, and the list included most of the 50 most-followed accounts on the service. Instagram still will not say how many accounts were affected, other than that it is a “low percentage of Instagram accounts.” There are more than 700 million active Instagram accounts; hackers say they have information on file for 6 million users. Users’ passwords were not exposed in the hack, Instagram said.

Source: An Instagram hack hit millions of accounts, and victims’ phone numbers are now for sale – The Verge