Facebook doesn't have the best reputation when it comes to minding its users' privacy, and Cambridge Analytica exploiting the social network's third-party APIs for unchecked data collection surely hasn't helped. Now, we've found another service called Ghosty that takes advantage of Instagram's API to create a stalker paradise. By crowdsourcing the data of all of its users' Instagram accounts, it lets anyone view many private profiles.

The promise of the app is sketchy from the get-go: Just share your Instagram login credentials with it to get access to many private accounts. The catch is that you have to invite at least one other person to the service to be able to view private profiles, which is how the app manages to constantly increase its pool of available content — if any of its users happen to follow a private profile, it just farms that account's content. When we looked into the app, we managed to skip the invitation step though and were able to view at least one private profile, so it might only be required in a later phase after hooking new users.

Once someone has started using the app, it further shamelessly exploits their desire to access more private accounts and makes them pay for bundles or watch ads.

The Play Store listing advertises Ghosty's capabilities.

Ghosty isn't even a new app — it's been available on the Play Store since April this year, and it has accumulated more than 500,000 downloads in that period. This should give it quite a huge data pool to work with, and it's surprising neither Google nor Facebook have caught it so far.

To be clear, this app is almost certainly breaking more than just one item from Instagram's terms of service, and Facebook surely doesn't approve or endorse an app that exploits its users like this. In fact, people who enable the service by signing up for it and inviting more friends to join could face consequences like bans when the company gets wind of it. Hopefully, Facebook will react soon and work on ensuring the privacy of anyone who decided to not make their account publicly viewable, even if that means vetting third-party access more rigorously.