Instagram notified some of its users that it might have accidentally exposed their password due to a security glitch.
According to a company spokesperson, the bug was “discovered internally and affected a very small number of people.”
The news was first reported by The Information, the issue affects the “Download Your Data” tool implemented in April by Instagram to let users known which personal data the site had collected.
The feature was implemented by the social media platform in compliance with General Data Protection Regulation (GDPR).
“The security flaw was tied, ironically, to a tool Instagram introduced in April to let users see how much of their personal data the site had collected. “Download Your Data” lets users download all the data that Instagram has on them, both to comply with new European data-privacy regulations and to satisfy increasingly privacy-sensitive users around the world.” states a blog post published on The Information.
The company informed users that if they had used the “download your data” tool, their passwords were accidentally exposed because they were included in the URL.
“if someone submitted their login information to use the Instagram ‘Download Your Data’ tool, they were able to see their password information in the URL of the page. This information was not exposed to anyone else, and we have made changes so this no longer happens.” an Instagram spokesperson told The Verge.
The use of the tool on public networks could have exposed passwords to attackers, the company also notified users that passwords were also stored on Facebook’s computers.
Security experts fear the company is storing passwords in clear text, but a company spokesperson downplayed the issue, saying that the company only stores password hashes.
“If Instagram were storing passwords with the right encryption technology, this type of flaw shouldn’t be possible, according to Chet Wisniewski, principal research scientist at security firm Sophos.” continues The Information.
“He said the only way it could show up in the URL is if the password were stored somewhere inside of Instagram in plain text, which isn’t recommended in the security industry.”
“This is very concerning about other security practices inside of Instagram because that literally should not be possible. If that’s happening, then there are likely much bigger problems than that,” he said.
The Facebook-owned firm confirmed that the flaw was already fixed, it also suggests users change their passwords, as a precautionary measure.
This isn’t the first time that security implemented by Instagram was questioned by experts. On August, hundreds of its accounts were hijacked in what appeared to be the result of a coordinated attack, all the accounts shared common signs of compromise.
Alleged attackers modified personal information making impossible to restore the accounts.
In September 2017, Doxagram website claimed to be selling the email addresses and phone numbers of 6M High-Profiles Instagram accounts ranging from POTUS to Taylor Swift.