Apple and Google have removed one of the most popular Instagram clients from their app stores after it was found to be stealing user passwords and posting photos without permission. Third-party app InstaAgent was found to be storing users' Instagram usernames and passwords in an unencrypted form, before sending them on to unknown servers by iOS developer David L-R, who posted his discovery on Twitter late last night.

Google responded quickly to the revelation, removing the app from its Play Store, but Apple took a little longer to kill any mention of InstaAgent from the App Store, finally removing it a few hours after the first tweets indicated its malicious intentions. While Instagram warns against using third-party apps to access your profile for precisely this reason, InstaAgent promised extra features for its users, including the ability to see who was viewing your profile.

"Who Viewed Your Profile" #Instaagent will send your Instagram Username and Password to an unknown server! pic.twitter.com/8uZJljJdtO — David L-R (@PeppersoftDev) November 10, 2015

The app is now gone, but hundreds of thousands of Instagram accounts are already compromised. Although not tremendously successful in the United States, InstaAgent had reached the top spot in the free iPhone apps section of the App Store in both the UK and Canada before it was removed by Apple, and on the Play Store, had racked up between 100,000 and 500,000 downloads. If you were one of those tempted by the app's promises, then you'll want to change your passwords as soon as possible. At the same time, Apple and Google might want to take a look at the selection procedures that allowed such an obviously malicious bit of software from passing their tests and riding high in their app stores.