Personal details of thousands of Instagram users have been leaked by a social media booting service called social Captain. These details include username and passwords and that means it can be easily used by hackers.
Social Captain claims help thousands of users grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password to get started. TechCrunch reported that Social Captain stored these passwords of linked Instagram accounts in unencrypted plain text.
Any user viewing the web page source code on their Social Captain profile page could see their Instagram user name and password easily as long as they were connected to the platform.
What made things worse was a website bug that allowed anyone to access any Social Captain profile without logging in. Plugging in an user’s unique account ID into Social Captain’s web address would grant you access to that Social Captain account and the Instagram credentials.
Because user account IDs were “for the most part sequential, it was possible to access any user’s account and view their Instagram password and other account information with relative ease”, reported TechCrunch.
A security researcher, who did not wish to be named, alerted TechCrunch about this vulnerability and provided a spreadsheet of about 10,000 scraped user accounts as proof (however, a recent court ruling stated that scraping websites does not fall afoul of US computer hacking laws.)
The spreadsheet that TechCrunch has contains about 4,700 complete sets of Instagram usernames and passwords. The rest of the records on the spreadsheet contained just the user’s name and email address.
The spreadsheet data also showed if the accounts were on free trial or were paid premium accounts. “Only about 70 accounts were paying customers, the data said, but many of those premium accounts also contained the customer’s billing addresses,” reported TechCrunch.
TechCrunch also verified the bug by creating a dummy Instagram account and “connecting it to a new Social Captain account, and viewing the web page source code of our profile page on Social Captain”.
After TechCrunch reached out, Social Captain confirmed that they had fixed the vulnerability by “preventing direct access to other users’ profiles”. However, passwords and other account information are still visible in the web page source code of a user’s profile page.
“Early analysis indicates that the issue was introduced during the past weeks when the endpoint, meant to facilitate integration with a third-party email service, has been temporarily made accessible without token-based authentication,” said Anthony Rogers, chief executive at Social Captain.
“As soon as we finalise the internal investigation we will be alerting users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations,” Rogers said.
Rogers has not mentioned how long this investigation is going to take.
Commenting about this leak, Instagram said that Social Captain has breached its terms of service by improperly storing login credentials.
“We are investigating and will take appropriate action. We strongly encourage people to never give their passwords to someone they don’t know or trust,” said an Instagram spokesperson.
Users who signed up to Social Captain should change their Instagram passwords immediately.