A social media engagement startup, which describes itself as a service that can help clients increase their Instagram followers, has revealed and exposed thousands of Instagram passwords.
SocialCaptain claims that it helps many Instagram users grow their profiles by signing up their accounts to its service and platform. When users first sign up, they are required to share their username and password to receive the service.
It was revealed this week, however, that SocialCaptain was storing their client’s passwords unencrypted and in plain text, which means that they are in plain sight to anyone who wants to see them. If you view the web page source code on the profile page of Social Captain, you can see any user’s password.
As if it couldn’t get any worse, there was also a bug that allowed anyone to gain access to Social Captain’s client’s profiles without even having to log in. All they had to do was type in the username of the profile to see it.
Not only would they gain access to the account, but they would also be able to see the login details of the user.
An anonymous security researcher exposed a spreadsheet with as many as 10,000 user accounts that had been scraped for sensitive information like this. There are loopholes in the law that means scraping websites isn’t necessarily illegal.
The spreadsheet also contained almost 5000 Instagram usernames and their password. The rest of the 10,000 just included the name of the user and their email.
The data also showed whether the user was still on a free trial, or whether they had signed up for a paid service. Interestingly, only about 70 accounts were currently paying for the service, but within these were also details of the client’s billing address.
SocialCaptain claims that it has fixed the vulnerability in the system, however, if you visit their web page and access the source code, you can still see passwords, as well as other account information.
SocialCaptain said that they would be conducting an investigation, but wouldn’t speculate as to how long this would take.
Instagram has said that SocialCaptain’s service directly violates their terms and conditions around properly storing sensitive client information, like usernames and passwords. If you are already signed up with SocialCaptain, it’s vital that you change your password straight away.
Unfortunately, this is just one of the many security breaches to affect Instagram users. Instagram has been hard at work trying to locate and identify services like SocialCaptain that are ripping their customers off, or improperly storing their data.