A massive database containing personal data belonging to millions of Instagram users has leaked on the internet, a report said.

TechCrunch reported that a database containing public and private information of some 49 million Instagram users has been exposed online, giving away their bio, profile photo, location by country and city, and the number of followers they have. What’s more, included in the leak are the users’ email addresses and phone numbers.

The database was left without a password protecting its contents. As such, the information contained was accessible to anyone who simply had access to the internet, and could be scraped for whatever purpose anyone might have.

The leak was discovered by Anurag Sen, a security researcher who contacted TechCrunch to ask for help in finding the database owner so that it could be secured. It so happened that they found the database to be hosted by Amazon Web Services, and traced the database to a Mumbai-based social media marketing firm named Chtrbox.

Chtrbox pays social media influencers to post its sponsored content on their Instagram accounts. The company pays each influencer based on the number of followers they have, the amount of engagement, reach and likes they get for their posts, as well as the number of shares their posts have.

The database contained several high-profile influencers, including celebrities, food bloggers, and other social media influencers. TechCrunch said it reached out to a few of those whose names and contact information are included in the list.

Two of them responded and confirmed that the emails and phone numbers indicated are indeed theirs, and they used these details to create their Instagram accounts. Interestingly, they said they never had any dealings with Chtrbox. TechCrunch said the database was taken down soon after it contacted the marketing firm.

In its defense, Chtrbox responded by saying the database didn’t include private data, and the personal data included therein wasn’t sourced unethically. Moreover, the database was left exposed for only 72 hours, or three days.

A security editor from TechCrunch, however, said the database was first detected on the internet on May 14, which meant it was exposed for more than five days already.