Instagram alerted verified users earlier this week about a security flaw that could give hackers access to their personal information. It told the users that it had fixed the issue.
But it appears the bug was exploited before Instagram's fix, and affected more than the most high-profile accounts.
On Friday, Instagram CTO Mike Krieger published a blog post alerting all users to the security flaw.
"Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts. We want to reiterate that no passwords were exposed in this issue," the company said in a statement.
A spokesperson told CNN Tech they are aware individuals are trying to sell the information, and the company is working with law enforcement.
Hackers are selling email and phone number data allegedly belonging to Instagram accounts that they say they scraped before the flaw was fixed. People can look for usernames on a searchable database and buy personalized data for $10 each. The website can't be accessed by traditional web browsers.
A manager of the database told CNN Tech that "we have a variety of high profile accounts, normal accounts, and very high profile celebrities."
Related: Instagram alerts high-profile users their data may have been accessed
The hackers claim to have personal information associated with over 6 million accounts. The manager of the database said he heard about the Instagram vulnerability on a private chat room, and accessed the data on August 25.
This person sent CNN Tech a list a list of 1,000 purported Instagram accounts and associated data, and CNN Tech was able to confirm that some of the emails included were used by existing Instagram accounts.
Facebook, which owns Instagram, declined to comment on Friday.
Earlier this week, entertainer Selena Gomez's Instagram account was hacked and old photos of ex-boyfriend Justin Bieber were posted to her account.
Hackers can use phone numbers and emails to find out a lot about a person. For example, an attacker could take over a phone by hijacking its SIM card and gain access to accounts associated with the phone number.