Instagram feature accidentally leaks passwords, affected users warned to update

Another week, another security issue related to Facebook or one of its properties. This time it’s Instagram, which has disclosed that a “small number” of users’ password were exposed as plaintext. This was the result of a bug in the tool that lets users download all of their own data from the social network.

An Instagram spokesperson confirmed the security lapse to The Information, detailing that some users who used the feature to download a copy of their data had their password included in plaintext in the URL. Even more troubling is that these passwords were then stored on Facebook servers.

Instagram reiterated that the bug had only affected “a very small number of people,” and once it had been internally discovered the bug was fixed to no longer display passwords. In addition, all affected users have been contacted and warned to change their password as well as clear their browser’s history.

When The Information brought the concern of passwords being stored in plaintext, the Instagram rep said all password data is hashed, the information that was saved to Facebook’s servers has been deleted, and the URL containing the password was only displayed to the user that used the Download Your Data feature, no one else.

While the social network obviously hopes this is enough to reassure any affected users, the biggest threat is to anyone who used a public or shared computer when the bug was active, or was on an unsecured network at the time. Along with updating their passwords, Instagram users should follow these instructions to enable two-factor authentication.