Ya, I mean Instagram is no bastion of privacy, I’m sure - but most managers wouldn’t be thrilled to learn their employees were accessing the production database for fun. It’s less a “but you violated our customer’s trust” and more a “you idiot, why you tempting fate, we are generally one typo away from the whole thing crumbling down anyway!”. And surely no company bothered to build a nice tool that’ll let their employees peruse the DM list of a random user - we can barely get them to build us actual monitoring infrastructure till something breaks! So one would have to put in some effort into gathering this information. Running background checks for some random friend - the risks and effort doesn’t feel like it would be worth it. It seems more likely the girlfriend peeked at OP’s Instagram client herself, or just took a guess, and made up “a source working at Instagram” as a plausible excuse.
Ehhhhh… Having database access like this is fairly common, and it’s very plausible that a nice tool exists for this for moderation purposes. I’m not saying this actually happened, but it’s at least plausible, and frankly you should assume that this is happening behind the scenes at every company. It might be rare, and you might ultimately conclude that it’s worth the risk, but it’s probably good to consider (especially if you’re in any way connected to an employee at such a company).
Yes, access to production database is fairly common (for certain job functions, at least). Unaudited and unfettered database access is much less common. Sure, it happens, but it is rare - especially for something at the scale (& attractiveness to hackers) of Instagram. And yes, an audit trail doesn’t mean your manager will be immediately alerted, and there are people who won’t think of the audit trail and go snooping in prod anyway - so it is possible, but I just don’t think it’s very probable ¯\_(ツ)_/¯
And a moderation tool for direct messages? Which are E2E encrypted? That doesn’t make much sense to me. What moderation function would a “list of people they have DMed in the last 2 years” serve? I guess it could be used to determine if somebody has been harassing someone else - but the block feature exists, why would it reach a moderator in the first place?
and frankly you should assume that this is happening behind the scenes at every company.
Look, I operate under the principle of “anything that I put online, will be eventually public and linked to me” (which is why I would never answer the original question, even with an anonymous account that isn’t linked to my email) and “everybody sucks at infosec” - but that doesn’t mean Instagram employees have a handy way to access a human readable list of people I have DMed.
Occam’s razor is in favour of the girlfriend getting the info the old fashioned way - snooping on the OP’s phone
Ya, I mean Instagram is no bastion of privacy, I’m sure - but most managers wouldn’t be thrilled to learn their employees were accessing the production database for fun. It’s less a “but you violated our customer’s trust” and more a “you idiot, why you tempting fate, we are generally one typo away from the whole thing crumbling down anyway!”. And surely no company bothered to build a nice tool that’ll let their employees peruse the DM list of a random user - we can barely get them to build us actual monitoring infrastructure till something breaks! So one would have to put in some effort into gathering this information. Running background checks for some random friend - the risks and effort doesn’t feel like it would be worth it. It seems more likely the girlfriend peeked at OP’s Instagram client herself, or just took a guess, and made up “a source working at Instagram” as a plausible excuse.
Ehhhhh… Having database access like this is fairly common, and it’s very plausible that a nice tool exists for this for moderation purposes. I’m not saying this actually happened, but it’s at least plausible, and frankly you should assume that this is happening behind the scenes at every company. It might be rare, and you might ultimately conclude that it’s worth the risk, but it’s probably good to consider (especially if you’re in any way connected to an employee at such a company).
Yes, access to production database is fairly common (for certain job functions, at least). Unaudited and unfettered database access is much less common. Sure, it happens, but it is rare - especially for something at the scale (& attractiveness to hackers) of Instagram. And yes, an audit trail doesn’t mean your manager will be immediately alerted, and there are people who won’t think of the audit trail and go snooping in prod anyway - so it is possible, but I just don’t think it’s very probable ¯\_(ツ)_/¯
And a moderation tool for direct messages? Which are E2E encrypted? That doesn’t make much sense to me. What moderation function would a “list of people they have DMed in the last 2 years” serve? I guess it could be used to determine if somebody has been harassing someone else - but the block feature exists, why would it reach a moderator in the first place?
Look, I operate under the principle of “anything that I put online, will be eventually public and linked to me” (which is why I would never answer the original question, even with an anonymous account that isn’t linked to my email) and “everybody sucks at infosec” - but that doesn’t mean Instagram employees have a handy way to access a human readable list of people I have DMed.
Occam’s razor is in favour of the girlfriend getting the info the old fashioned way - snooping on the OP’s phone