Instagram has recently patched a security issue in its website that might have accidentally exposed some of its users’ passwords in plain text.
The company recently started notifying affected users of a security bug that resides in a newly offered feature called “Download Your Data” that allows users to download a copy of their data shared on the social media platform, including photos, comments, posts, and other information that they have shared on the platform.
To prevent unauthorized users from getting their hands on your personal data, the feature asks you to reconfirm your password before downloading the data.
However, according to Instagram, the plaintext passwords for some users who had used the Download Your Data feature were included in the URL and also stored on Facebook’s servers due to a security bug that was discovered by the Instagram internal team.
The company said the stored data has been deleted from the servers owned by Facebook, Instagram’s parent company and the tool has now been updated to resolve the issue, which “affected a very small number of people.”
Download Your Data was rolled out by Instagram in April to comply with the new European data privacy regulations, General Data Protection Regulation (GDPR), and to address the privacy concerns of users worldwide amid Facebook’s Cambridge Analytica scandal.
Affected users are highly recommended to change their passwords and clear their browser history as soon as possible.
Users are also advised to enable two-factor authentication (2FA) and always secure their accounts with a strong and unique password.
Facebook had recently addressed a much more severe bug linked to its “View As” feature that was being actively exploited by unknown hackers to steal secret access tokens for 30 million Facebook users.
In late August, Instagram fixed another severe flaw in its API that unknown hackers exploited in the wild to gain access to the phone numbers and email addresses for many “high-profile” users with verified accounts.
In the same month, Instagram was also reportedly hit by a widespread hacking campaign that mysteriously locked out hundreds of users of their accounts with their email addresses, account names, profile pictures, and passwords changed.