Instagram has notified some of its users that their password might have been exposed due to a security bug, according to The Information (via Engadget). A spokesperson for the company says that the issue was “discovered internally and affected a very small number of people.”
In this instance, the bug was tied to a feature that the company rolled out in April
that allows users to download all of their data, implemented after
European lawmakers rolled out its General Data Protection Regulation
(GDPR). According to Instagram, some users who used that feature had
their passwords included in a URL in their web browser, and that the
passwords were stored on Facebook’s servers, Instagram’s parent company.
A security researcher told The Information that this would
only be possible if Instagram stores its passwords in plain text, which
could be a larger and concerning security issue for the company. An
Instagram spokesperson disputed this, saying that the company hashes and
salts its stored passwords.
Instagram says that it has since fixed the feature so
that passwords won’t be exposed, and told users that they should change
their passwords, as a precaution. In a statement to The Verge, an
Instagram spokesperson says that “if someone submitted their login
information to use the Instagram ‘Download Your Data’ tool, they were
able to see their password information in the URL of the page. This
information was not exposed to anyone else, and we have made changes so
this no longer happens.”