A social media boosting service for Instagram, Social Captain, has exposed passwords of thousands of Instagram accounts.
Social Captain asks users to enter the Instagram username and password to get started. The worst part os that they were keeping passwords in unencrypted plaintext. They were also keeping the username and password in the source code of the profile page on their site that one can see on his/her profile page.
A bug on their website allowed anyone to access Social Captain user’s profiles without log in. Just by modifying the URL’s unique account ID, anyone can access other people’s Social Captain profiles and then Instagram username/password on the page’s source code.
TechCrunch got access to about 10,000 scraped user accounts from which 4,700 sets had Instagram usernames and passwords. This bug affected both free and paid customers. There were
After this bug came into light, Social Captain blocked direct access to other users’ profiles. But passwords and other account information are still there.
Instagram said that Social Captain has breached the terms of service by storing login credentials improperly. They are now investigating the issue and promised to take appropriate action.
Users who signed up to Social Captain should change their Instagram password immediately.
