Instagram introduced Download Your Data option last April, to let the user’s know what are the data collected. The feature was implemented in Instagram for GDPR compliance.
The bug was found in the Download Your Data tool, if the user uses the tool to download the data then it will be sent their password as a plain text in the URL and the passwords are stored on the Facebook servers.
A security researcher told Verge, “the Information that this would only be possible if Instagram stores its passwords in plain text, which could be a larger and concerning security issue for the company. An Instagram spokesperson disputed this, saying that the company hashes and salts its stored passwords.”
An Instagram spokesperson said the issue only affected a smaller number of users and the users are notified to change the login credentials. If the tool was used in public network or in a shared computer it will pose some serious risks.
Now the Facebook-owned firm fixed the issue and told user’s to reset their login credentials, also the Instagram spokesperson confirmed information was not exposed to anyone else, and we have made changes so this no longer happens. The news was reported by The Information.