Social Media Boosting Service Exposed Thousands of Instagram Passwords

An anonymous reader quotes a report from TechCrunch:

A social media boosting startup, which bills itself as a service to increase a user’s Instagram followers, has exposed thousands of Instagram account passwords. The company, Social Captain, says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started. But TechCrunch learned this week Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform.

Making matters worse, a website bug allowed anyone access to any Social Captain user’s profile without having to log in – simply plugging in a user’s unique account ID into the company’s web address would grant access to their Social Captain account – and their Instagram login credentials. Because the user account IDs were for the most part sequential, it was possible to access any user’s account and view their Instagram password and other account information with relative ease.

  • The security researcher who reported the vulnerability provided a spreadsheet of about 10,000 scraped user accounts to TechCrunch.

“The spreadsheet contained about 4,700 complete sets of Instagram usernames and passwords,” the report says. “The rest of the records contained just the user’s name and their email address.”