Instagram bug left user passwords exposed in plain text

Back in late September this year, a vulnerability in Facebook‘s “Vew As” feature allowed attackers to steal access tokens of 50 Million accounts which allowed them to take over the accounts of users. Well now, a bug in Facebook-owned Instagram‘s tool has exposed passwords of users in plain text, giving rise to concerns over how serious Facebook and its companies are in protecting the data of their users.


Back in late April this year, Instagram released ‘Download Your Data‘ tool that lets users download a copy of their data. This includes your photos, videos, comments, profile information, archived Stories, Direct messages, post and Story captions, and much more. Well, according to a recent report, a bug in this tool exposed passwords of Instagram users in plain text.

Instagram’s ‘Download Your Data’ tool lets you download a copy of your data

Those users who used this tool to download a copy of their data had their passwords exposed in plain text in the URL of their web browser. The passwords were also stored on Instagram-parent Facebook’s servers. Soon after this bug came to light, Instagram fixed the tool, deleted the passwords, and also informed the affected users of the same.

Well, this could have had serious implications if people were using a shared computer and didn’t clear the browsing history, as that could allow anyone with access to the computer to see those passwords.

Commenting on this incident, an Instagram spokesperson said, “if someone submitted their login information to use the Instagram ‘Download Your Data’ tool, they were able to see their password information in the URL of the page. This information was not exposed to anyone else, and we have made changes so this no longer happens.

In this day and age where more and more people are getting online and using social media, it’s moronic for companies to save the passwords of their users in plain text. We don’t understand why companies don’t make use of one-way hashing techniques for storing passwords. After all, once the information has been converted into one-way hash, it cannot be reversed to derive the original information.

Having said that, as an end-user, apart from using a unique and strong password, we also advise you to enable two-factor authentication that will add an additional layer of security to your account. Here’s how you can enable two-factor authentication on Instagram.