Less than a day ago, it was revealed more than 20,000 Facebook employees had access to over 600 million user passwords that were stored in plaintext on Facebook’s servers. Now, it’s being reported that Instagram too has suffered from a bug that inadvertently exposed users passwords in plaintext.
According to an exclusive report from The Information, Facebook informed affected Instagram users about a security flaw that caused passwords to be shown in plaintext when users opted to use Instagram’s ‘Download Your Data’ tool, a tool that ironically enough was created to help users see just how much information Instagram (read: Facebook) has collected on them.
 |
| A screenshot of the text shown after users request a download of all the data Instagram has collected from them. |
In an email sent out by Instagram to affected users on Thursday, passwords were exposed in the URL that was sent when a data download request was made. This means if the download link was viewed on a shared or public device, it would be possible for anyone to see the affected users’ password. In a statement to The Information, an Instagram spokesperson said the issue was ‘discovered internally and affected a very small number of people.’
Regardless of how many Instagram users were or weren’t affected by this bug, such an issue shouldn’t be possible if Instagram were properly keeping passwords hidden with the proper encryption technology, as the passwords should never be able to be seen in plaintext — anywhere. In a statement to The Information, principle research scientists at security firm Sophos, Chet Wisniewski, said:
‘This is very concerning about other security practices inside of Instagram because that literally should not be possible. If that’s happening, then there are likely much bigger problems than that’
The ‘Download Your Data’ tool has since been updated to fix the issue, but it might be a good idea to change your Instagram passwords regardless as a precaution.
Articles: Digital Photography Review (dpreview.com)
