Six Million Loose Ends
In September 2017, a bug in Instagram’s API exposed the contact data—names, email addresses, phone numbers—of roughly six million accounts. Someone built a searchable database out of the stolen records almost immediately: ten dollars for a thousand entries. The whole thing surfaced when Selena Gomez’s account was compromised, which is how these things tend to be discovered: not through rigorous security auditing, but because someone recognizable got hit first.
Instagram initially said only high-profile accounts were affected, then revised that statement when it became clear that ordinary users were in the pile too. Facebook, which owns Instagram, patched the API hole and issued the standard reassurance. Passwords were not compromised, they said. Just contact information.
"Just contact information" is doing a lot of work in that sentence. Phone numbers and email addresses are the keys to most account recovery flows—get those two things and a little patience, and you can work through someone’s entire digital life via social engineering. It’s not the data that’s dangerous. It’s what the data unlocks.
I’ve been using a password manager long enough that I’ve forgotten what most of my passwords even are, which is the point. Different random string for every service, nothing reused. When one platform goes down, the damage stays contained. It doesn’t feel like security exactly—more like managed fatalism. You assume exposure is coming eventually. You just try not to make it easy to unravel everything at once.