According to The Information (via Engadget), Facebook-owned Instagram recently notified some of its users about their password being exposed due to a potential security bug. A spokesperson of Instagram said that this issue was “discovered internally and it has affected a very small number of people.”
This potential security bug was a result of one of Instagram’s feature which was rolled out to the users in April, that allowed users to download all of their data, which was implemented after the European lawmakers rolled out their General Data Protection Regulation (GDPR). According to Instagram, some users who used this feature ended up getting their passwords included in a URL into their web browser, instead, those passwords had been stored on Facebook’s servers, which is Instagram’s parent company. A security researcher told The Information that this would have only been possible if Instagram allowed storage of its passwords in plain text. This definitely seems to pose a large and concerning security threat to the company. A spokesperson of Instagram refused this and claimed that the company hashes and salts its stored passwords.
After all of this, Instagram said that it has fixed the bug in the feature so that passwords will further not be exposed, and also told users to change their passwords, just as a means of precaution.
In a statement to The Verge, an Instagram spokesperson said- “if someone submitted their login information to use the Instagram ‘Download Your Data’ tool, they were able to see their password information in the URL of the page. This information was not exposed to anyone else, and we have made changes so this no longer happens.”