Thousands of Instagram passwords exposed online after follower-boosting app Social Captain is found to be storing them online them in plain text
- Instagram users that linked their account to Social Captain are at risk
- Vulnerability left passwords stored in plain text on unencrypted site
- Experts have said the vulnerability is of 'great concern' to users and urges those affected to update their passwords immediately
Thousands of Instagram accounts had their passwords exposed due to a vulnerability in an app claiming to boost follower numbers.
Social Captain was revealed as storing passwords of its users in an unencrypted file which could be easily accessed by hackers.
Criminals who accessed the site would have been able to simply read an account's username and password in plain text.
It is unknown if any details were seized by hackers but users are urged to change their password and details urgently.
Scroll down for video
![As cyber criminals continue to exploit the COVID-19 pandemic, the last few months have seen a rise in both opportunistic and targeted attacks, with spear phishing campaigns in particular causing challenges as they target users with fake coronavirus-related advice](https://i.dailymail.co.uk/1s/2020/01/31/15/24132864-7952609-image-a-34_1580483767612.jpg)
Criminals who accessed the Social Captain site would have been able to simply read an account's username and password in plain text (stock)
Instagram users that signed up to the Social Captain site to boost their numbers had to link their accounts.
This information, TechCrunch revealed, was poorly stored.
An unnamed security researcher found the vulnerability and reported it to TechCrunch, who in turn informed Social Captain.
'Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform,' the report claims.
'Making matters worse, a website bug allowed anyone access to any Social Captain user's profile without having to log in — simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account — and their Instagram login credentials.'
Some of the users were also paying users, and the breach exposed their billing address.
David Emm, Principal Security Researcher at Kaspersky, said: 'While it's understandable that people might want to boost their Instagram following, this shouldn't be at the expense of their online security.
'The fact Social Captain – or indeed any online service – stores login credentials in plain text is of great concern.
![An unnamed security researcher found the vulnerability and reported it to TechCrunch, who in turn informed Social Captain](https://i.dailymail.co.uk/1s/2020/01/31/15/24132858-7952609-image-a-38_1580483906832.jpg)
An unnamed security researcher found the vulnerability and reported it to TechCrunch, who in turn informed Social Captain
![Instagram says that it wasn't intentionally blocking posts containing the Black Lives Matter hashtag, but rather the restrictions were imposed by its automated spam-blocking tool (stock)](https://i.dailymail.co.uk/1s/2020/01/31/15/24132856-7952609-image-a-36_1580483772692.jpg)
An Instagram spokesperson said: 'As soon as we finalise the internal investigation we will be alerting users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations'
'In this particular case it's even scarier to think that someone else could view these credentials without even having to log in to the Social Captain site.
'Anyone who has signed up to Social Captain should change their Instagram passwords.'
Anthony Rogers, chief executive at Social Captain, told TechCrunch that it is believed the vulnerability is a recent issue.
'Early analysis indicates that the issue was introduced during the past weeks when the endpoint, meant to facilitate integration with a third-party email service, has been temporarily made accessible without token-based authentication,' he said.
An Instagram spokesperson said: 'As soon as we finalise the internal investigation we will be alerting users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations.'
'While it's understandable that people might want to boost their Instagram following, this shouldn't be at the expense of their online security.
'The fact Social Captain – or indeed any online service – stores login credentials in plain text is of great concern.
'In this particular case it's even scarier to think that someone else could view these credentials without even having to log in to the Social Captain site.
'Anyone who has signed up to Social Captain should change their Instagram passwords.'
Most watched News videos
- Moment police in Leeds forcefully take children out of the house
- Moment man flees after ramming £200,000 Lamborghini into pole
- Doctor's advice to patients waiting for medicines amid IT outage
- Israel strikes Houthi targets in Yemen after Tel Aviv drone attack
- Shocking drone footage shows multiple vehicles ablaze in Leeds riot
- Mail tries to hike 'impenetrable' terrain where Jay Slater was found
- Ex-Gov Adviser: IT outage was a 'digital auto-immune disorder'
- Leeds: Moment rioting thugs throw fridge into fire and ignite bus
- Moment gay couple brutally whipped with belt and assaulted in Rome
- Hundreds descend on streets of Leeds for the SECOND night in a row
- Deputy speaker slaps down ex-Tory secretary for 'abominable' behaviour
- Leeds riots: Heartbroken father sobs and begs for his children back