Your Instagram Stories may not actually be disappearing after 24 hours — at least one company has been quietly saving them

  • A marketing company has been quietly saving millions of people’s InstagramStories.
  • The revelations are a reminder that information people post on the internet may end up getting used in ways they never imagined.
  • After being alerted by Business Insider, Instagram has booted the offending company off its platform.
  • Visit Business Insider’s homepage for more stories.

Your Instagram Stories might not be as temporary as you think they are.

On Wednesday, Business Insider revealed that a company you’ve probably never heard of has been quietly scraping millions of Instagram users’ data, including saving their Stories. The revelation is a stark reminder that the things you post publicly on social networks can be misappropriated and stored by strangers indefinitely, regardless of your intentions.

So what happened? Hyp3r, a marketing firm from San Francisco, has been illicitly pulling data from the Facebook-owned app and website about its users. It has “geofenced” thousands of locations around the world – bars, restaurants, hotels, stadiums, gyms, and so on – and then systematically saved all public posts from these locations, as well as information about the people posting there.

This even includes Instagram Stories – a format of post for images and videos that are supposed to automatically disappear after 24 hours. Instead, they were hoovered by Hyp3r and then used to assemble intimate pictures of people’s movements, their habits, and the businesses they frequent.

Does this mean your Instagram Stories were affected?

It’s possible. But it’s important to note that only Stories that were posted from and tagged with a specific location – for example, if you took a selfie and tagged your favourite restaurant – were captured by Hyp3r. The firm zeroed in on specific locations and harvested all the Instagram Stories emanating from there, but it was not tapping into the overall firehose of Stories that get shared on Instagram.

And of course, this only applies to Stories that were shared publicly. If your account is set to private, you don’t have to worry.

Sources told Business Insider that Hyp3r sucks up in excess of 1 million Instagram posts a month. It’s not clear what proportion of those are traditional posts versus Stories.

On Thursday the Irish Data Protection Commission told Business Insider it was looking into the issue to determine whether any EU subjects were affected – a possibility that seems very likely, according to Business Insider’s sources.

What do Instagram and Hyp3r say?

The data scrapping violates Instagram’s policies, but Instagram didn’t notice for a year (until Business Insider informed the company). Instead, it actually lauded Hyp3r as a “Facebook Marketing Partner,” even as Hyp3r took advantage of a vulnerability in Instagram’s systems that made accessing this data easier.

Hyp3r meanwhile, has denied wrongdoing, arguing that all the data was public and legitimately accessed, and that it believes it abides by all relevant privacy laws and social network terms of service. Instagram has disagreed, accusing Hyp3r of violating its rules, and has kicked the company off its platform and issued it with a cease and desist.

But Hyp3r is almost certainly not the only organisation out there using technology to quietly scrape people’s social networking activity and creating a detailed profiles of people. The fact that Instagram wasn’t able to detect and prevent this kind of automated scrapping is an embarrassing failing on its part.

In short, the revelations highlight how Instagram and Facebook are still struggling to protect users’ data, more than a year after it was rocked by the Cambridge Analytica scandal. And it demonstrates that posts people make with the understanding they are ephemeral may, unbeknownst to them, be quietly collected by companies and put to uses that they never imagined.

Got a tip? Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at [email protected], Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.) You can also contact Business Insider securely via SecureDrop.

Read more: