Instagram’s Download Your Data tool contained a security vulnerability that accidentally exposed the passwords of a small number of users in plain text. Here is the explanation on what happened, and how to find out which Instagram accounts were compromised by the security bug.
The Instagram tool that allows users to download a copy of their data from the social media platform had a security flaw that accidentally leaked passwords in plain text.
In April, Facebook-owned Instagram rolled out a Download Your Data tool that sends users a file containing all the pictures, comments, and other information that they have shared on the platform. The feature was rolled out to comply with new data privacy regulations in Europe and to address the privacy concerns of users around the world amid Facebook’s Cambridge Analytica scandal.
Unfortunately, the Download Your Data tool contained a security issue that also sent users their passwords in plaintext in the URL, The Information reported. In addition, for some reason, the passwords were also stored on Facebook’s servers, though they have since been deleted.
The security issue of the Download Your Data tool, which has already been fixed, only affected a “small number of people,” a spokesperson told The Information. However, these users may have had their Instagram passwords exposed if they were using a shared computer, or if they were on a compromised network. If they use the same password on other websites or apps, then the security issue becomes a bigger problem.
Instagram sent notifications to the users who were affected by the vulnerability, so those who were not contacted should not worry about their account passwords being compromised. However, for all Instagram users who recently utilized the Download Your Data tool, changing your password or activating two-factor authentication would not hurt, just to be sure.
The newly exposed bug follows a strange Instagram hack in August that locked users out of the platform because their account information, particularly their password, mobile number, and email address, were changed. In several cases, the emails linked to the compromised accounts were changed to Russian emails. The accounts, however, did not share new images, nor did they delete old ones.
Instagram hacks come in several different forms, and users will need to perform specific actions to recover their Instagram accounts. Here is a guide on what to do if you suddenly find yourself a victim of Instagram hacks, so that you can get your account back.