Instagram security bug inadvertently exposed user passwords

Instagram’s ‘Download Your Data’ tool accidentally put user credentials at risk. What’s particularly worrisome though, is the possibility of Instagram storing passwords in plain text.


A security bug in Instagram resulted in a major data breach that left users’ passwords exposed.

The security incident proves to be yet another egg in the face for its parent company Facebook – the social media behemoth has been embroiled in data privacy concerns for a while now.

In April this year, Instagram, in a bid to comply with European General Data Protection Regulation (GDPR) mandates rolled out a ‘Download Your Data’ feature, which enabled users to keep track and download their data.

Related: GDPR has arrived: Here's what will happen next

In a statement by Instagram, it was revealed that users who used the ‘Download Your Data’ feature had their passwords showing up in a URL in the web browser, and that the passwords were stored on Facebook’s servers. 

It’s murkier than it looks

A security researcher, in an interview with The Information revealed that this could only be possible if Instagram stores its passwords in plain text. 

Now this is particularly worrisome because it points to Instagram’s password protection protocols. Added to this is the unexplained reason for Instagram passwords being stored on Facebook servers.

However, an Instagram spokesperson clarified that the company hashes and salts its stored passwords.

Instagram has reached out to affected users, so if you haven’t heard from them, you are in the safe zone. Additionally, the company, in a statement said that the security bug has been fixed.