Instagram has notified some of its users that their passwords may have been compromised due to a security error according to Information (via Engadget ). A spokesman for the company says that the issue was “detected internally and affected a very small number of people”.
In this case, the bug was linked to a function that the company rolled out in April, allowing users to download all of their data, implemented after European legislators have drafted its General Data Descriptive Regulation (GDPR). According to Instagram, some users who used that feature had their password included in a browser URL and that the passwords were stored on Facebook’s servers, Instagram’s parent company. A security scientist told the information that this would only be possible if Instagram stores its passwords in plain text, which could be a major and concern for company security. An Instagram spokesman contests this saying that the company is hacking and salting its stored passwords.
Instagram says that since then it has fixed the feature so that passwords will not be exposed and tell users to change their passwords as a precaution. In a statement to The Verge, an Instagram spokesman states that “if someone left the login information to use the Instagram” Download Your Data “tool, they could see their password information in the URL of the page. This information was not exposed to anyone else and we have done changes so this will no longer happen. “
Updated November 1
7, 15:30 ET : Includes Instagram spokesman information regarding password security.