Instagram Follower Service Exposes User Passwords

A startup called Social Captain, which offers users the ability to increase their Instagram followers, has exposed the passwords of thousands of Instagram accounts.

According to Social Captain’s service description, the company claims it can boost users’ Instagram follower counts by connecting their accounts to its platform. To use this online service, users are required to enter their Instagram username and password.

However, it was discovered that the company stored all Instagram account passwords in plain text. Accessing these exposed credentials was relatively easy—anyone could simply look at the source code of the Social Captain web page to find them.

To make matters worse, a bug allowed any visitor to access a Social Captain user’s profile without authentication. All that was needed was to insert the user’s unique identifier into the Social Captain URL.

Anyone who has used Social Captain’s services is strongly advised to change their Instagram passwords immediately. The issue is particularly serious, as an unnamed researcher has already collected the credentials of about 10,000 accounts.