A social media booting service called Social Captain, that helps users grow their Instagram follower counts, has leaked thousands of Instagram usernames and passwords for potential hackers.
TechCrunch reported that the Social Captain stored passwords of linked Instagram accounts in unencrypted plaintext.
A website vulnerability allowed anyone access to any Social Captain user’s profile without having to log in and access their Instagram login credentials.
The report added that “A security researcher, who asked not to be named, alerted TechCrunch to the vulnerability and provided a spreadsheet of about 10,000 scraped user accounts.”
About 70 accounts were premium accounts of paid customers.
Social Captain said later it had fixed the vulnerability by preventing direct access to other users’ profiles.
Instagram announced that the service breached the company terms of service by improperly storing login credentials.
An Instagram spokesperson mentioned that “We are investigating and will take appropriate action. We strongly encourage people to never give their passwords to someone they don’t know or trust.”
According to Adam Brown, Manager, Security Solutions, at Synopsys Software Integrity Group, design flaws are the cause of nearly 50 percent of all software vulnerabilities.
Brown told IANS that “They are seldom detected without performing a design review as this activity requires select expertise. That said, in this case, a penetration test should have easily identified this flaw. This is especially bad for affected users not just because their Instagram passwords are now breached, but also due to the fact that people commonly reuse passwords which could lead to unauthorized access of additional accounts by extension.”
In May last year, Instagram saw itself in trouble after personal data of millions of celebrities and influencers were reportedly exposed on its platform in a massive database that was traced to Mumbai-based social media marketing firm.
The database contained around 49 million records of several high-profile influencers, that includes prominent food bloggers, celebrities and other social media influencers.
A bug on Instagram led to the leak of personal details of more than 6 million celebrity users in 2017, including Taylor Swift and Kim Kardashian.
The stolen information was later dumped into a database and reportedly sold for $10 per record via Bitcoins.