[BreachExchange] Instagram Accidentally Exposed Some Users' Passwords In Plaintext

Destry Winant destry at riskbasedsecurity.com
Mon Nov 19 20:29:11 EST 2018


https://thehackernews.com/2018/11/instagram-password-hack.html

Instagram has recently patched a security issue in its website that
might have accidentally exposed some of its users' passwords in plain
text.

The company recently started notifying affected users of a security
bug that resides in a newly offered feature called "Download Your
Data" that allows users to download a copy of their data shared on the
social media platform, including photos, comments, posts, and other
information that they have shared on the platform.

To prevent unauthorized users from getting their hands on your
personal data, the feature asks you to reconfirm your password before
downloading the data.

However, according to Instagram, the plaintext passwords for some
users who had used the Download Your Data feature were included in the
URL and also stored on Facebook's servers due to a security bug that
was discovered by the Instagram internal team.

The company said the stored data has been deleted from the servers
owned by Facebook, Instagram's parent company and the tool has now
been updated to resolve the issue, which "affected a very small number
of people."

Download Your Data was rolled out by Instagram in April to comply with
the new European data privacy regulations, General Data Protection
Regulation (GDPR), and to address the privacy concerns of users
worldwide amid Facebook's Cambridge Analytica scandal.

Affected users are highly recommended to change their passwords and
clear their browser history as soon as possible.

If you have not received any notification from the photo-sharing
service yet, it means your Instagram account and password are
apparently not affected by the bug. If you are still concerned about
the privacy and security of your account, you can also consider
changing your password.

Users are also advised to enable two-factor authentication (2FA) and
always secure their accounts with a strong and unique password.

Facebook had recently addressed a much more severe bug linked to its
"View As" feature that was being actively exploited by unknown hackers
to steal secret access tokens for 30 million Facebook users.

In late August, Instagram fixed another severe flaw in its API that
unknown hackers exploited in the wild to gain access to the phone
numbers and email addresses for many "high-profile" users with
verified accounts.

In the same month, Instagram was also reportedly hit by a widespread
hacking campaign that mysteriously locked out hundreds of users of
their accounts with their email addresses, account names, profile
pictures, and passwords changed.

Have something to say about this article? Comment below or share it
with us on Facebook, Twitter or our LinkedIn Group.


More information about the BreachExchange mailing list