Instagram has notified some of its users that their password might have been exposed as plain text due to a security bug and they have patched the issue.
The security bug resides in a new feature called “Download Your Data” that permits users to download a copy of their data shared on the social media platform, including photos, comments, posts, and other information that they have shared on Instagram. This feature asks your permission to reconfirm the password before downloading the data in order to prevent unauthorized users from getting your personal data.
According to Instagram, when the users used this feature, their passwords were also included in the URL as plain text and also stored on Facebook’s servers due to a security bug which was discovered by the Instagram internal team.
The company confirms that stored data has been deleted from the servers owned by Facebook which is Instagram’s parent company and the issue has been resolved by updating the tool. The issue however affected a very small number of people.
The feature Download Your Data was started by Instagram in April in consent with the new European data privacy regulations, General Data Protection Regulation (GDPR), and to address the privacy concerns of users worldwide amid Facebook’s Cambridge Analytica scandal.
The affected users are highly recommended to change their passwords and clear their browser history at the earliest. Those users who have not received any notifications yet can ensure that their Instagram account and password are apparently not affected by the bug. Still if you are concerned about your account security, it is advised to change your password. Users can also enable two-factor authentication (2FA) and make sure to use a strong and unique password.
It was just two months back that Instagram patched another severe flaw in their API that unknown hackers exploited in the wild to gain access to the phone numbers and email addresses for many “high-profile” users with verified accounts. They were also reportedly hit by a widespread hacking campaign that locked out hundreds of users of their accounts with their email addresses, account names, profile pictures, and passwords changed.