Who doesn't wish to have hundreds and thousands of followers on Instagram, who appreciate, like and see your posts on a daily basis? There are many ways to increase follower count on Instagram but social media boosting service has become an easy and popular approach. Now, those who tried the latter are paying a hefty price for opting Social Captain's help to grow Instagram followers.
Social Captain is a startup that aims to help Instagram users grow follower count by connecting their accounts to its platform. Users must enter their username and password into the platform to get started. Sounds simple right? But what followed later is scarier and you'll wish you hadn't opted for the shortcut to boosting Instagram followers.
Instagram user info breached (AGAIN)
TechCrunch reported that usernames and passwords of thousands of Instagram users who linked their accounts to Social Captain have now been exposed. The website had stored passwords of linked accounts in plain text, allowing anyone to access any Social Captain user profile without having to log in and even access their Instagram login credentials.
A security researcher anonymously tipped the publication of the loophole and even shared a spreadsheet consisting of 10,000 scraped user accounts. Of that dataset, around 70 were premium customers and most of them had the billing address attached. The report also noted that about 4,700 entries had both Instagram usernames and passwords while the rest contained usernames and email addresses.
Since Social Captain had stored confidential credentials in plain text on its website, any user could view the web page source code on Social Captain profile page to find the username and password in an unencrypted format. A bug in the website allowed anyone to access any Social Captain user profile by plugging in a user's account ID into the company's web address.
Vulnerability patched, but partially!
In response to TechCrunch's query, Social Captain said that the vulnerability had been fixed. By this, the website meant any direct access to other users' profile was no longer allowed. But the fact that usernames and passwords were still visible in plain text was still a matter waiting to be addressed.
Instagram said that it was investigating the improper method of storing login credentials, which breached its terms of service, and action will be taken soon.
"We are investigating and will take appropriate action. We strongly encourage people to never give their passwords to someone they don't know or trust," an Instagram spokesperson said in a statement.
What should users do?
If you are signed up for Social Captain service or did so anytime in the past, it is incredibly important to update your passwords. Since the direct access to your account via Social Captain profile has been fixed, you might not need to change your username. But if you choose to, you can update the username as well.
This latest incident is yet another reminder of why users must be vigilant of their social media habits. In May last year, personal data belonging to millions of Instagram celebs and social media influencers were allegedly exposed by a Mumbai-based social media marketing firm. Last year, Instagram had discovered that an ad partner was secretly storing locations and other data on millions of users. The partnership was terminated then. Prior to that, a bug in Instagram resulted in leaking personal info of more than 6 million celebs, including Taylor Swift and Kim Kardashian.
