The popular social media photo sharing app Instagram has recently patched a bug in their website that accidentally exposed some of their users’ passwords in plaintext. The bug resides in the new “Download Your Data” feature. This new feature allows the user to download a copy of all the data they have shared with the site, including comments, posts, photos, and other information. To ensure safety when downloading the data, Instagram asks the user to reconfirm their password before downloading the data. For some users that utilized the feature, their password was included in the URL and stored on Facebook’s servers. The data on Facebook servers was deleted and an update has been released to address the bug. Very few users were affected by the bug and Instagram has informed those affected.
Analyst Notes
Instagram has already notified affected users about the bug. If notified by Instagram, affected users are advised to change their password and clear their browsing history immediately. Users can also ensure safety by using 2FA (Two Factor Authentication) with a strong password. If the user has reused the password on another account that they used for their Instagram account, they should change that password as well. Reusing passwords allows attackers to breach multiple accounts if one of them becomes compromised. If the user has used a similar variation of the password leaked by Instagram, they should change that password too, because variations are very easy to crack if the attacker already knows part of the password. Passwords should always be unique to themselves and to the account, they should also never be reused in order to reduce the risk of the password being cracked.
