Instagram passwords exposed through a social media boosting service

“An Instagram followers boosting service has exposed thousands of Instagram account passwords.”

Social media boosting services are nothing new. People who often be lured to get paid followers on their social media handles for their own reasons have constantly been relying on them for quite a while now. Instagram is one of the major social media platforms out there, has always been one such example. If you intend to grow your Instagram profile in terms of followers, there are many ways other than building a genuine audience (which, by the way, takes a considerable amount of time), and one such way is to ‘buy’ the followers. Amongst the popular social media boosting websites out there, a new startup dubbed the Social Captain has been pretty popular, owing to the decent prices that are quoted for the services they offer. What nobody would have expected is that the service has exposed thousands of Instagram account passwords, leaving the accounts vulnerable and open in the wild.

Social Captain, as per the recent report, has been storing the passwords of the linked Instagram accounts in an unencrypted plaintext. In layman’s language, anyone who knows the basics of HTML could access their Instagram username and password by viewing the website’s source code, so long as they had connected their account to the platform. This, by the way, is not rocket science by any means. A simple right-click on the website’s account page gives you access to the source code in browsers like Google Chrome and Mozilla Firefox. To make things all the way worse, the website provides anyone access to anyone’s account that has been signed up for the Social Captain user profile. Users don’t even have to log in – they can simply use anyone’s unique account ID into the company’s web address and voilà, the Instagram login credentials pop up in plain sight.

A security researcher (who preferred to stay anonymous), informed TechCrunch about the security vulnerability of the website. The person eve provided the source with a spreadsheet that contained around 10,000 scraped user accounts of the people who had signed up for the service. Out of the 10,000 accounts, approximately 4,700 accounts had complete details of the Instagram usernames, as well as passwords. The rest of them had information about just the user names and the email addresses used to make an account on Social Captain. The data further suggests that around 70 of those accounts were premium accounts, and even their billing addresses were exposed.

TechCrunch tried to double-check the breach by creating a dummy Instagram account and signing up for a new Social Captain account. After doing the same, the source could verify the breach. As a matter of fact, the same vulnerability was reported to Social Captain. “Early analysis indicates that the issue was introduced during the past weeks when the endpoint, meant to facilitate integration with a third-party email service, has been temporarily made accessible without token-based authentication,” said Anthony Rogers, Chief Executive at Social Captain. “As soon as we finalize the internal investigation, we will be alerting users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations,” he continued. Addressing the same, an Instagram spokesperson alarmed Instagram users. “We are investigating and will take appropriate action. We strongly encourage people to never give their passwords to someone they don’t know or trust,” said the spokesperson.

Whether or not the vulnerability is fixed in the future, it is always advisable to rely on trusted services for social media boost. If in case you have signed up to Social Captain (or any such services for that matter), we would advise you to change your Instagram password as soon as you can.