Apple CEO Tim Cook. Kevork Djansezian/Getty Images An unofficial Instagram app has been removed from the App Store after a developer dug into its code and discovered that it was secretly harvesting usernames and passwords and posting spam to user accounts, AppleInsider reports.

"Who Viewed Your Profile -- InstaAgent" was an app that claimed to tell users who had viewed their Instagram profile. Of course, you can't actually tell who viewed your profile, so the app was a little suspicious.

Freelance iOS developer David Layer Reiss exmained the app's code and found something worrying: InstaAgent had been storing usernames and passwords and sending them to a remote server.

Reiss also found that some InstaAgent users had seen spam photos posted to their timelines, likely because the app was able to log in using their password.

Reiss estimated that 500,000 people could have their Instagram account details compromised.

Apple has now removed InstagAgent from the App Store around the world, but that hasn't stopped the users who have already had their accounts affected. Apple declined to comment for this story, and Instagram provided Business Insider with the following statement:

These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user's accounts in an inappropriate way. We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password.