I found a Instagram Basic Display API access token leaked in a website. This token belongs to a Instagram marketing account of this website. Using my leet investigating skill, below are the information i have.
- This token has 3 months valid period
- This token is in use (i see it’s refreshed last week when its valid period is going to end), although i cannot find where it is used
- This token is an User Access Token for querying data from Basic Display API. Doc here: https://developers.facebook.com/docs/instagram-basic-display-api
- This access token only has read access to public information 🙁
- This token will be temporarily rate limited if using too much
Do you know of any impact i can do with this access token other than rate limiting it?
Also, if this token needs to be kept secret, how can we protect it?