/nov 20, 2018

Instagram Bug Accidentally Reveals User Passwords

By Laura Paine

Facebook and Instagram have been having a rough go of it this year.

According to The Information, some Instagram users who made use of the platform's new feature received notification that their passwords were showing up in the URL of their web browsers. What's more, this information was also stored on Facebook's servers, causing a greater issue for anyone using a shared computer or an insecure network.

Reports from Fortune indicate that Instagram staff discovered the bug, which only affected a small number of users. The information was reportedly not exposed outside of the company. A spokesperson for Instagram also told Fortune that the tool has been updated and that it's deleting any logged passwords. It’s recommended that any affected users change their passwords and clear their browser history.

Twitter faced a similar issue in May, and urged all of it's users to change their passwords after an error in the hashing process saved user passwords in plain text to an internal log rather than masking them.

Stakes are High for Businesses to Meet GDPR Compliance - and They're Feeling the Heat

Instagram published the download your data tool in order to comply with new GDPR regulation and to offer their users a deeper look into all of the data the company had collected about them. The tool allows users to copy their photos, videos, and messages to their computers. Some say that in addition to meeting compliance, this move was meant to shine Facebook in a better light following the Cambridge Analytica scandal.

However, in September, Facebook announced that it had discovered attackers exploited a vulnerability in its code that impacted its "View As" feature, enabling them to Facebook access tokens – digital keys that allow users to stay logged in whether or not they’re actively using the application – which could then be used to take over user accounts. The breach is reportedly a result of multiple issues within Facebook's code, stemming from changes made to the social media platform’s video-uploading feature in July of last year that impacted the “View As” feature. Roughly 50 million accounts were affected, with as many as 90 million users required to log back into their accounts across devices.

According to a report from Silicon Republic, Ireland's Data Protection Commission has confirmed that it is investing the data breach, and that Facebook could face up to $1.6 billion in fines if it is found to have breached GDPR requirements. This could be one of the first major tests of the GDPR legislation.

Consumers and the Enterprise Alike Need to be More Discerning About Security

You would be hard pressed to find an executive that wants to see his or her company's software to be the one that leaks sensitive customer data in a cyberattack or otherwise. You would also be hard pressed to find a consumer who’d be happy that organizations' with their most sensitive personally identifiable information have been breached. Or that the organization may be leaking their passwords out into the worldwide web. As organizations continue to move in the right direction, reviewing the security of the software they purchase more closely, consumers must also leave behind their apathy in favor of adopting practices that help keep them safe online.

Related Posts

By Laura Paine

Laura Paine is a senior product marketing manager at Veracode, based in Burlington, MA.