Written byShubham Sharma ·
In a major shocker, thousands of Instagram usernames and passwords have been leaked online.
The data, according to a report in TechCrunch, has been compromised through a third-party platform named Social Captain.
It worked outside the mitts of the Facebook-owned photo-sharing service and mined username-passwords without proper permission.
Here's all you need to know about it.
Social Captain, as the name suggests, is an independent platform that promises to increase Instagram followers for people using "automated targeted marketing & the power of AI."
The company offers a range of plans (with various tracking/analytical tools) and claims to be serving thousands of Instagram businesses and influencers looking to grow their reach by drawing more followers, organically.
While Social Captain looked innocuous initially, the folks at TechCrunch noted that the company required users to connect their Instagram accounts by logging in.
This, they found, allowed the platform to collect the usernames-passwords of users and store those details in plain text.
The unencrypted data could even be viewed by visiting Social Captain users' profiles and viewing the source code of the page.
Beyond storing confidential usernames-passwords in plain text, Social Captain was also found to be exposing user profiles without requiring a login.
Essentially, the platform had a bug, which opened a way for threat actors to put in unique account IDs (randomly-generated and mostly sequential) into Social Captain's web address and view profiles of users - and their Instagram username-passwords and other details.
TechCrunch learned about these issues when an anonymous security researcher managed to scrape details of nearly 10,000 Instagram users through the bugs and raised major alarms on the matter.
He had a spreadsheet, which contained as many as 4,700 username-password combinations. The rest of the data included name, emails, or billing address of people who had the premium subscription of Social Captain.
Social Captain issued a statement saying that the bug has been patched by preventing direct access to the profiles of users.
"As soon as we finalize the internal investigation we will be alerting users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations," said Anthony Rogers, the CEO of Social Captain.
Despite Rogers' comments, you should note the patch only blocks external access to Social Captain profiles - not the ability to view Instagram passwords via source code.
So, even if you have not received a password change alert from Social Captain, we'd recommend taking action by changing the password of the Instagram account connected with the service immediately.
"We are investigating and will take appropriate action. We strongly encourage people to never give their passwords to someone they don't know or trust," Instagram said while adding that Social Captain violated its terms by storing password credentials improperly.
Love Science news?
Subscribe to stay updated.