Personal details of thousands of Instagram users have been exposed by a social media booting service called Social Captain, reported by TechCrunch online media website.
Social Captain helps users grow their Instagram follower counts, has leaked thousands of Instagram’s usernames and passwords for potential hackers. Accounts details stored in unencrypted plain text on Social Captain.
The vulnerability on the Social Captain could easily be accessed by anyone, surpassing the need for Instagram log in access and credentials.
“A security researcher, who didn’t want to be named, alerted TechCrunch to the vulnerability and provided a spreadsheet of about 10,000 scraped user accounts. The spreadsheet carried about 4,700 complete sets of Instagram usernames and passwords. The rest of the records contained just the user’s name and their email address. About 70 accounts were premium accounts of paid customers, contained the customer’s billing addresses.” according to the report.
Social Captain confirmed it had fixed the vulnerability by preventing direct access to other users’ profiles. But passwords and other account information are still visible in the web page source code.
“Early analysis indicated the issue was introduced during the past couple of weeks when the endpoint meant to facilitate integration with a third-party email service, has been temporarily made accessible without token-based authentication.”
Anthony Rogers, Chief Executive, Social Captain
“As soon as we finalize the internal investigation we will be alerting users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations,” he said.
It has breached Instagram’s terms of service by improperly storing login credentials.
“We are investigating and will take appropriate action. We strongly encourage people to never give their passwords to someone they don’t know or trust,” an Instagram spokesperson said.