"They may have found a weakness in the API that allowed them to exploit it with bots," Mosly said. "Twitter had the same problem and recently updated its API to address it."
What sets this attack apart from prior spam campaigns against Instagram is that it appears to have involved hacked accounts. "These spam images were coming from legitimate users whose accounts had been compromised," said Sapnam Narang, a security response manager at Symnatec.
"That's different from the normal fake accounts that are created for the purpose of spamming," Narang told CSOonline. "We've seen that on Twitter with diet spam."
Instagram members may want to brace themselves for future spam campaigns, cautioned Ragib Hasan, an assistant professor and director of SECRETLab at the Department of Computer and Information Sciences at the University of Alabama at Birmingham.
"This shows that it's possible to spam Instagram," Hasan said in an interview. "My worry is that in the near future you'll see more malicious spamming using this kind of social media."
Sign up for Computerworld eNewsletters.