Photo sharing site Instagram says it is trying to find out how contact details of almost 50 million of its users were stored online in an unguarded database.
TechCrunch, which broke the story, said it included personal information such as email and phone numbers of high profile users known as "influencers".
The database has been traced to a Mumbai-based company called Chtrbox.
Instagram, which is owned by Facebook, told the BBC it was trying to find out where the data had come from.
"We're looking into the issue to understand if the data described - including email and phone numbers - was from Instagram or from other sources. We're also inquiring with Chtrbox to understand where this data came from and how it became publicly available," it said in a statement.
The TechCrunch report said the data also included information such as the location of users.
The database itself was stored on an Amazon server and was not protected with a password. An Indian researcher who discovered it had alerted TechCrunch to it.
Chtrbox, which is a marketing company, has taken the database offline.
In a statement, the firm said reports were "inaccurate".
"A particular database for limited influencers was inadvertently exposed for approximately 72 hours.
"This database did not include any sensitive personal data and only contained information available from the public domain, or self-reported by influencers."
The firm said it had never purchased any data that had been obtained via "unethical means", such as a hacking.
Nevertheless, gathering - or scraping - information from Instagram accounts violates the policies of the social media site.