Thousands of Instagram passwords exposed online after follower-boosting app Social Captain is found to be storing them online them in plain text
- Instagram users that linked their account to Social Captain are at risk
- Vulnerability left passwords stored in plain text on unencrypted site
- Experts have said the vulnerability is of ‘great concern’ to users and urges those affected to update their passwords immediately
Thousands of Instagram accounts had their passwords exposed due to a vulnerability in an app claiming to boost follower numbers.
Social Captain was revealed as storing passwords of its users in an unencrypted file which could be easily accessed by hackers.
Criminals who accessed the site would have been able to simply read an account’s username and password in plain text.
It is unknown if any details were seized by hackers but users are urged to change their password and details urgently.
Scroll down for video
Criminals who accessed the Social Captain site would have been able to simply read an account’s username and password in plain text (stock)
Instagram users that signed up to the Social Captain site to boost their numbers had to link their accounts.
This information, TechCrunch revealed, was poorly stored.
An unnamed security researcher found the vulnerability and reported it to TechCrunch, who in turn informed Social Captain.
‘Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform,’ the report claims.
‘Making matters worse, a website bug allowed anyone access to any Social Captain user’s profile without having to log in — simply plugging in a user’s unique account ID into the company’s web address would grant access to their Social Captain account — and their Instagram login credentials.’
Some of the users were also paying users, and the breach exposed their billing address.
David Emm, Principal Security Researcher at Kaspersky, said: ‘While it’s understandable that people might want to boost their Instagram following, this shouldn’t be at the expense of their online security.
‘The fact Social Captain – or indeed any online service – stores login credentials in plain text is of great concern.
An unnamed security researcher found the vulnerability and reported it to TechCrunch, who in turn informed Social Captain
An Instagram spokesperson said: ‘As soon as we finalise the internal investigation we will be alerting users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations’
‘In this particular case it’s even scarier to think that someone else could view these credentials without even having to log in to the Social Captain site.
‘Anyone who has signed up to Social Captain should change their Instagram passwords.’
Anthony Rogers, chief executive at Social Captain, told TechCrunch that it is believed the vulnerability is a recent issue.
‘Early analysis indicates that the issue was introduced during the past weeks when the endpoint, meant to facilitate integration with a third-party email service, has been temporarily made accessible without token-based authentication,’ he said.
An Instagram spokesperson said: ‘As soon as we finalise the internal investigation we will be alerting users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations.’
‘While it’s understandable that people might want to boost their Instagram following, this shouldn’t be at the expense of their online security.
‘The fact Social Captain – or indeed any online service – stores login credentials in plain text is of great concern.
‘In this particular case it’s even scarier to think that someone else could view these credentials without even having to log in to the Social Captain site.
‘Anyone who has signed up to Social Captain should change their Instagram passwords.’