Thousands of Instagram passwords exposed online after follower-boosting app Social Captain is found to be storing them online them in plain text
by Joe Pinkstone For Mailonline- Instagram users that linked their account to Social Captain are at risk
- Vulnerability left passwords stored in plain text on unencrypted site
- Experts have said the vulnerability is of 'great concern' to users and urges those affected to update their passwords immediately
Thousands of Instagram accounts had their passwords exposed due to a vulnerability in an app claiming to boost follower numbers.
Social Captain was revealed as storing passwords of its users in an unencrypted file which could be easily accessed by hackers.
Criminals who accessed the site would have been able to simply read an account's username and password in plain text.
It is unknown if any details were seized by hackers but users are urged to change their password and details urgently.
Instagram users that signed up to the Social Captain site to boost their numbers had to link their accounts.
This information, TechCrunch revealed, was poorly stored.
An unnamed security researcher found the vulnerability and reported it to TechCrunch, who in turn informed Social Captain.
'Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform,' the report claims.
'Making matters worse, a website bug allowed anyone access to any Social Captain user's profile without having to log in — simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account — and their Instagram login credentials.'
Some of the users were also paying users, and the breach exposed their billing address.
David Emm, Principal Security Researcher at Kaspersky, said: 'While it's understandable that people might want to boost their Instagram following, this shouldn't be at the expense of their online security.
'The fact Social Captain – or indeed any online service – stores login credentials in plain text is of great concern.
'In this particular case it's even scarier to think that someone else could view these credentials without even having to log in to the Social Captain site.
'Anyone who has signed up to Social Captain should change their Instagram passwords.'
Anthony Rogers, chief executive at Social Captain, told TechCrunch that it is believed the vulnerability is a recent issue.
'Early analysis indicates that the issue was introduced during the past weeks when the endpoint, meant to facilitate integration with a third-party email service, has been temporarily made accessible without token-based authentication,' he said.
An Instagram spokesperson said: 'As soon as we finalise the internal investigation we will be alerting users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations.'
'While it's understandable that people might want to boost their Instagram following, this shouldn't be at the expense of their online security.
'The fact Social Captain – or indeed any online service – stores login credentials in plain text is of great concern.
'In this particular case it's even scarier to think that someone else could view these credentials without even having to log in to the Social Captain site.
'Anyone who has signed up to Social Captain should change their Instagram passwords.'
HOW CAN I CHOOSE A SECURE PASSWORD?
According to internet security provider Norton, 'the shorter and less complex your password is, the quicker it can be for the program to come up with the correct combination of characters.
The longer and more complex your password is, the less likely the attacker will use the brute force method, because of the lengthy amount of time it will take for the program to figure it out.
'Instead, they'll use a method called a dictionary attack, where the program will cycle through a predefined list of common words that are used in passwords.'
Here are some steps to follow when creating a new password:
DO:
- Use a combination of numbers, symbols, uppercase and lowercase letters
- Ensure that the password is at least eight characters long
- Use abbreviated phrases for passwords
- Change your passwords regularly
- Log out of websites and devices after you have finished using them
DO NOT:
- Choose a commonly used password like '123456', 'password', 'qwerty' or '111111'
- Use a solitary word. Hackers can use dictionary-based systems to crack passwords
- Use a derivative of your name, family member's name, pet's name, phone number, address or birthday
- Write your password down, share it or let anyone else use your login details
- Answer 'yes' when asked to save your password to a computer browser