Instagram notified users that their passwords may have been exposed. A spokesperson for the company says that the issue was “discovered internally and affected a very small number of people.”
The bug was connected with a tool that the company rolled out after European lawmakers rolled out its General Data Protection Regulation (GDPR). According to Instagram, some users who used that feature had their passwords included in a URL in their web browser, and that the passwords were stored on Facebook’s servers, Instagram’s parent company. Security researchers point out that this would only be possible if Instagram is storing passwords in plain text, which would be a much larger and concerning security issue.
Instagram claims the feature has been fixed and passwords will no longer be exposed, but people should still change their passwords.