Instagram Data Download Tool Bug Exposes User Passwords

Tajammul Pangarkar
Tajammul Pangarkar

Updated · Nov 22, 2018

SHARE: is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more.
Advertiser Disclosure

At Scoop, we strive to bring you the most accurate and up-to-date information by utilizing a variety of resources, including paid and free sources, primary research, and phone interviews. Our data is available to the public free of charge, and we encourage you to use it to inform your personal or business decisions. If you choose to republish our data on your own website, we simply ask that you provide a proper citation or link back to the respective page on Scoop. We appreciate your support and look forward to continuing to provide valuable insights for our audience.

Instagram has witnessed a minor yet important privacy issue, exposing some of the user passwords. As per what The Information has reported, a security bug has caused exposure to the password of some users. The company officials say that the issue was found out internally and that the bug was fixed thereafter. It means that the particular bug would have caused serious issues for the user. The bug was found in a Data Download tool that Instagram had launched in April. This tool was made to help users download Instagram information in a single package, with compliance to GDPR.

The issue happened when someone tried to use the Instagram Data Download tool for downloading all data stored in the servers. Upon authentication, the Instagram URL used to show the username and password in the URL, which is not at all secure. Of course, the URL would be visible only for the user, but in the long run, the trend causes more issues. The Information pointed out the suspicion that Instagram is storing all user passwords in plain text and that it probably does not make use of encryption technologies. However, official words from Instagram have disputed this.

Instagram officials say that the service stores the password information via hashes, using one of the topmost encryption technologies. As per what the spokespersons have said, the information was gathered when the user enters the credentials. Nevertheless, as per the officials, the issue has been addressed and fixed and it is not observed by users as of now. It is, however, quite ironical that a feature that was launched to enhanced user-data control and privacy turned out to have a grievous privacy error that would compromise security of many users. As it can be guessed, although the URL is seen to the customer, someone who sneaks into a PC and finds the URL would also have the Instagram password.

Tajammul Pangarkar

Tajammul Pangarkar

Tajammul Pangarkar is a CMO at Prudour Pvt Ltd. Tajammul longstanding experience in the fields of mobile technology and industry research is often reflected in his insightful body of work. His interest lies in understanding tech trends, dissecting mobile applications, and raising general awareness of technical know-how. He frequently contributes to numerous industry-specific magazines and forums. When he’s not ruminating about various happenings in the tech world, he can usually be found indulging in his next favorite interest - table tennis.