Instagram has notified some of its users that their password may have been exposed due to a security bug, according to The information (by Engadget). A company spokesman says the issue was "discovered internally and affected a very small number of people."
In this case, the bug was linked to a feature that the company launched in April, which allows users to download all their data, implemented after European lawmakers have released their General Rules on Data Protection (GDPR). According to Instagram, some users who used this feature had their passwords included in a URL in their web browser and that the passwords were stored on Facebook servers, the Instagram controlling company. A security researcher said The information that this would only be possible if Instagram stored its passwords in plain text, which could be a major security problem and worrisome for the company. An Instagram spokesman has contested this, saying that the company hashes and outputs its stored passwords.
Instagram says that since then it has fixed the feature so that passwords are not exposed, and told users that they should change their passwords as a precaution. In a statement to The Verge, an Instagram spokesperson said that "if someone submitted their login information to use the Instagram & # 39; Download Your Data & # 39; tool, they could see their password information in the page URL . This information has not been exposed to anyone, and we have made changes, so it does not happen anymore. "
Updated November 17, 3:30 PM ET: Included Instagram spokesperson information on password security.