A wave of malicious activity targeting social media platforms has come to light, as cybersecurity researchers uncovered that hackers are actively abusing public APIs from Instagram and TikTok to extract sensitive user information.
The revelations point to an ongoing trend of threat actors exploiting legitimate services to orchestrate fraud, phishing, and data harvesting campaigns.
Abusing APIs for Mass Data Extraction
At the core of the campaign is the exploitation of poorly secured endpoints provided by the APIs of major platforms. These APIs, designed for developer convenience and third-party integrations, have been manipulated to bypass rate-limiting and access control mechanisms. Threat actors have used automated scripts to harvest profile data, including email addresses, phone numbers, and account metadata—particularly from verified users with large followings.
This data is then repurposed for various malicious purposes, including impersonation scams, phishing campaigns, and even brute-force account takeovers. By mimicking legitimate traffic, attackers have avoided detection for extended periods.
PyPI Malware Disguised as Legitimate Tools
In parallel with the API abuse, security analysts have identified a related threat involving Python Package Index (PyPI). A number of malicious packages were recently discovered on the popular software repository, camouflaged as benign libraries. These packages were designed to deliver infostealers and remote access trojans (RATs) upon installation, compromising developer environments and stealing credentials that could be repurposed for API abuse or other attacks.
The attackers behind these PyPI packages appear to have targeted developers working with automation and social media APIs, suggesting a broader strategy to gain access to privileged API tokens and developer credentials.
Verified Users Targeted in Social Engineering Campaigns
Instagram has been especially affected due to an API misconfiguration that allowed attackers to enumerate and extract sensitive data from verified accounts. These accounts, often belonging to celebrities, influencers, and businesses, are high-value targets for impersonation and fraud. Attackers use this information to build convincing phishing lures or to directly reach out to followers with scam offers and malicious links.
The campaigns are notable for their level of automation and targeting precision. Once a verified account’s data is scraped, it is often added to underground databases for resale or future exploitation.
Industry Response and Recommendations
Security researchers have reported these abuses to the affected platforms, prompting a series of internal reviews and patch implementations. TikTok and Instagram are said to be tightening their API access rules and adding stricter rate-limiting and behavioral analytics to detect unusual patterns of activity.
Meanwhile, developers and businesses are urged to review their use of public packages and APIs. Here are key recommendations:
- Review third-party dependencies regularly for malicious or outdated packages.
- Use security tools like pip-audit or GitHub Dependabot to flag risky packages.
- Restrict API token scopes to only what is necessary, and rotate keys frequently.
- Implement IP whitelisting and monitor API usage logs for anomalies.
Final Thoughts
This latest campaign underscores the evolving threat landscape where public APIs, often overlooked in traditional security audits, become prime vectors for large-scale attacks. As social platforms continue to open their ecosystems to developers, balancing functionality with security becomes increasingly critical.
Cybercriminals are exploiting every layer of the modern digital stack—from open-source libraries to cloud-hosted APIs—and the cybersecurity community must stay vigilant in identifying and mitigating these multifaceted threats.
🛡️ Don’t wait for your employees to be the last line of defence.
👉 Start with Exabytes eSecure to explore how we can help you with cybersecurity-related issues.
References
- Cybersecurity News (2025, May 15). Hackers exploit TikTok and Instagram APIs to steal personal data and launch scams.
- The Hacker News (2025, May 16). Malicious PyPI packages exploit developers to steal sensitive data.
- GBHackers (2025, May 15). Hackers abuse TikTok and Instagram APIs to launch large-scale phishing campaigns.
- Trend Micro (2025, May 17). Hackers exploit Instagram API flaw to steal information from verified users.
