Instagram’s Data Download Tool Leaked User Passwords
The leak has been fixed, but is it too late?
Instagram users have been notified by the company that a security bug in its system may have exposed users’ passwords to hackers. According to The Information (via Engadget) the company reports that the issue was discovered internally and, “Affected a very small number of people.”
The bug was associated with a data download feature, installed in response to the European General Data Protection Regulation (GDPR). The problem arose when users’ passwords appeared in the URL in their web browser. They were also stored on Facebook’s servers (Facebook is Instagram’s parent company). This is only possible, research experts claim if Instagram stores its passwords in plain text. If this is the case, they say, it could indicate a much deeper-running problem and promise similar problems for the company and its users. A company representative asserts that the company, in fact, “hashes and salts” password information to deter security breaches.
Representatives of Instagram assure the public that the problem has been fixed, and the company has urged current users to change their passwords as an additional precaution. One representative told The Verge that, “If someone submitted their login information to use the Instagram ‘Download Your Data’ tool, they were able to see their password information in the URL of the page. This information was not exposed to anyone else, and we have made changes, so this no longer happens.”
While Instagram may have done all they can, their security breach is endemic of a wide and costly problem affecting countless internet users and companies all over the world. Ponemon’s 2017 Cost of Data Breach study, 191 days is the average period most companies take to identify data breaches. That’s about six months, during which time a consumer’s ID can be stolen, credit destroyed, life damaged or ruined forever.
According to a 2018 online survey by The Harris Poll, nearly 60 million Americans have been affected by ID theft, with 15 million instances in 2017 alone. That figure has increased by roughly 1 million people per year, with the average annual cost of total losses hover between $16 and $22 billion.
And a lot of that loss is due to data breaches. The Identity Theft Resource Center counted 1,579 data breaches in 2017 alone, exposing 178 million records.
Based in Menlo Park, California, Instagram was founded in 2010 and had 550+ employees. The company boasts incredible user numbers, making even a slight breach in the company’s security a dangerous matter. According to Omnicore, there are 1 billion monthly active Instagram users, 500 million daily active users, and 400 million daily users of Instagram Stories. Instagram hosts 25 million businesses, generating 4.2 billion likes per day, features 100 million uploaded photographs and videos. Six in ten online adults have integral accounts, 32% of all internet user are on Instagram, 72% of teens use the program, and 72% of US businesses are on the site as of 2018.