From Business Insider:
A combination of configuration errors and lax oversight by Instagram allowed one of the social network’s vetted advertising partners to misappropriate vast amounts of public user data and create detailed records of users’ physical whereabouts, personal bios, and photos that were intended to vanish after 24 hours.
The profiles, which were scraped and stitched together by the San Francisco-based marketing firm HYP3R, were a clear violation of Instagram’s rules. But it all occurred under Instagram’s nose for the past year by a firm that Instagram had blessed as one of its “preferred marketing partners.”
On Wednesday, Instagram sent HYP3R a cease-and-desist letter after being presented with Business Insider’s findings and confirmed that the startup broke its rules.
The existence of the profiles is a stark indication that more than a year after revelations that Facebook users’ data was exploited by Cambridge Analytica to fuel divisive political ad campaigns, Facebook’s struggles in locking down users’ personal information not only persist but also extend beyond the core Facebook app. Instagram, which is owned by Facebook but operated as a mostly separate business, has been largely insulated from the privacy backlash and scrutiny that has rocked its parent company.