Security bug in a GDPR-compliant tool of Instagram exposed user passwords

instagram tool exposed user passwords

Instagram has notified some of its users that their password data were inadvertently exposed due to a security flaw tied to an Instagram tool called “Download Your Data”.

In simple words, users who submitted their login information to use the affected feature “were able to see their password information in the URL of the page,” the company said in a statement. On top of that, passwords were also copied onto Facebook’s computers.

A security researcher told The Information that “this would only be possible if Instagram stores its passwords in plain text, which could be a larger and concerning security issue for the company.” But an Instagram spokesperson promptly disputed this, saying that Instagram hashes its stored passwords and also adds cryptographic salts to make it more secure.

The issue was “discovered internally and affected a very small number of people” confirmed a spokesperson for the company. Instagram, however, advised some users to clear their browser history and update their password. Also, passwords stored on Facebook’s servers were also deleted since the issue came into notice. Information regarding the flaw was also kept a secret from others until Instagram fixed the bug soon after it was spotted.

‘Download Your Data’ – available globally – allows you to have Instagram mail you a full copy of your data in 48 hours. It will include everything that you shared on the platform. The company introduced the tool in April this year to comply with EU’s GDPR.