Update: Instagram has issued the following statement to 9to5Mac:
“Temporarily, if someone submitted their login information to use the Instagram ‘Download Your Data’ tool, they were able to see their password information in the URL of the page. This information was not exposed to anyone else, and we have made changes so this no longer happens.”
A flaw in Instagram’s “Download Your Data” tool inadvertently exposed some user passwords, a report from The Information claims. In some instances, user passwords may have been exposed to public view. Instagram is said to have informed affected users via an email.
Sylvania HomeKit Light Strip
The Information reports Instagram users were informed via email that if they had used the “Download Your Data” tool, their passwords were exposed by being included in the URL of a webpage tied to the tool. Additionally, the passwords were also stored on Facebook’s computers.
The breadth of the flaw is unclear at this point, but a company spokesperson for Instagram says the issue was “discovered internally and affected a very small number of people.” Instagram also says that the bug has since been resolved and advises any affected users to clear their browser history to prevent anyone from seeing the URL that included their password.
This is a rather jarring and basic security lapse for Instagram and Facebook, which hasn’t done much at all to prove to users it knows how to handle sensitive data. It certainly raises the question of other security practices going on within Instagram.
Instagram originally launched its “Download Your Data” tool in April of this year to comply with the EU’s GDPR, but it is available to users around the world as well. Once you request your data via the tool, Instagram emails you within 48 hours with a full copy of everything you’ve shared on Instagram and all of the data the company has collected.
Have you used Instagram’s “Download Your Data” feature? If so, did you receive an email telling you that you were affected by this security lapse? Let us know down in the comments.