A social media boosting service recently found itself in hot water, after thousands of Instagram accounts were exposed online.
According to reports, the company, named Social Captain, is a startup that reportedly specialises in helping Instagram users in increasing the number of followers through its platform.
Users are asked to enter their Instagram username and password into the platform to get started.
According to TechCrunch, Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform.
‘Making matters worse, a website bug allowed anyone access to any Social Captain user’s profile without having to log in — simply plugging in a user’s unique account ID into the company’s web address would grant access to their Social Captain account — and their Instagram login credentials.’
Some of the users were also paying users, and the breach exposed their billing address.
A security researcher who had scraped Social Captain’s site found that out of 10000 users, approximately 4700 were complete with Instagram usernames and passwords. While the rest were just accounts containing a user’s name and their email address.