Skip to main content

Instagram security lapse exposed some user passwords to the public, company says

Update: Instagram has issued the following statement to 9to5Mac:

“Temporarily, if someone submitted their login information to use the Instagram ‘Download Your Data’ tool, they were able to see their password information in the URL of the page. This information was not exposed to anyone else, and we have made changes so this no longer happens.”

A flaw in Instagram’s “Download Your Data” tool inadvertently exposed some user passwords, a report from The Information claims. In some instances, user passwords may have been exposed to public view. Instagram is said to have informed affected users via an email.

The Information reports Instagram users were informed via email that if they had used the “Download Your Data” tool, their passwords were exposed by being included in the URL of a webpage tied to the tool. Additionally, the passwords were also stored on Facebook’s computers.

The breadth of the flaw is unclear at this point, but a company spokesperson for Instagram says the issue was “discovered internally and affected a very small number of people.” Instagram also says that the bug has since been resolved and advises any affected users to clear their browser history to prevent anyone from seeing the URL that included their password.

This is a rather jarring and basic security lapse for Instagram and Facebook, which hasn’t done much at all to prove to users it knows how to handle sensitive data. It certainly raises the question of other security practices going on within Instagram.

Instagram originally launched its “Download Your Data” tool in April of this year to comply with the EU’s GDPR, but it is available to users around the world as well. Once you request your data via the tool, Instagram emails you within 48 hours with a full copy of everything you’ve shared on Instagram and all of the data the company has collected.

Have you used Instagram’s “Download Your Data” feature? If so, did you receive an email telling you that you were affected by this security lapse? Let us know down in the comments.


Subscribe to 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Chance Miller Chance Miller

Chance is the editor-in-chief of 9to5Mac, overseeing the entire site’s operations. He also hosts the 9to5Mac Daily and 9to5Mac Happy Hour podcasts.

You can send tips, questions, and typos to chance@9to5mac.com.

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications