Thousands of Instagram passwords exposed online after follower-boosting app Social Captain is found to be storing them online them in plain text

by

Thousands of Instagram accounts had their passwords exposed due to a vulnerability in an app claiming to boost follower numbers.

Social Captain was revealed as storing passwords of its users in an unencrypted file which could be easily accessed by hackers. 

Criminals who accessed the site would have been able to simply read an account's username and password in plain text.  

It is unknown if any details were seized by hackers but users are urged to change their password and details urgently.  

https://i.dailymail.co.uk/1s/2020/01/31/15/24132864-7952609-image-a-34_1580483767612.jpg
Criminals who accessed the Social Captain site would have been able to simply read an account's username and password in plain text (stock)

Instagram users that signed up to the Social Captain site to boost their numbers had to link their accounts. 

This information, TechCrunch revealed, was poorly stored. 

An unnamed security researcher found the vulnerability and reported it to TechCrunch, who in turn informed Social Captain. 

'Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform,' the report claims.  

'Making matters worse, a website bug allowed anyone access to any Social Captain user's profile without having to log in — simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account — and their Instagram login credentials.'

Some of the users were also paying users, and the breach exposed their billing address. 

David Emm, Principal Security Researcher at Kaspersky, said: 'While it's understandable that people might want to boost their Instagram following, this shouldn't be at the expense of their online security.

'The fact Social Captain – or indeed any online service – stores login credentials in plain text is of great concern.

https://i.dailymail.co.uk/1s/2020/01/31/15/24132858-7952609-image-a-38_1580483906832.jpg
An unnamed security researcher found the vulnerability and reported it to TechCrunch, who in turn informed Social Captain
https://i.dailymail.co.uk/1s/2020/01/31/15/24132856-7952609-image-a-36_1580483772692.jpg
An Instagram spokesperson said: 'As soon as we finalise the internal investigation we will be alerting users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations'

'In this particular case it's even scarier to think that someone else could view these credentials without even having to log in to the Social Captain site. 

'Anyone who has signed up to Social Captain should change their Instagram passwords.'

Anthony Rogers, chief executive at Social Captain, told TechCrunch that it is believed the vulnerability is a recent issue.  

'Early analysis indicates that the issue was introduced during the past weeks when the endpoint, meant to facilitate integration with a third-party email service, has been temporarily made accessible without token-based authentication,' he said.

An Instagram spokesperson said: 'As soon as we finalise the internal investigation we will be alerting users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations.'

'While it's understandable that people might want to boost their Instagram following, this shouldn't be at the expense of their online security. 

'The fact Social Captain – or indeed any online service – stores login credentials in plain text is of great concern. 

'In this particular case it's even scarier to think that someone else could view these credentials without even having to log in to the Social Captain site. 

'Anyone who has signed up to Social Captain should change their Instagram passwords.'   

HOW CAN I CHOOSE A SECURE PASSWORD?

According to internet security provider Norton, 'the shorter and less complex your password is, the quicker it can be for the program to come up with the correct combination of characters. 

The longer and more complex your password is, the less likely the attacker will use the brute force method, because of the lengthy amount of time it will take for the program to figure it out.

'Instead, they'll use a method called a dictionary attack, where the program will cycle through a predefined list of common words that are used in passwords.'

Here are some steps to follow when creating a new password:

DO:

DO NOT: