Some Instagram users may have had their password information exposed as a result of a security breach tied to the platform’s “download your data” feature, the Information reported on Friday.
The Facebook-owned company has notified users who may have been affected by the bug. A spokesperson for Instagram said the security flaw was “discovered internally and affected a very small number of people.”
Instagram’s “download your data” feature, introduced in April, “lets users download all the data that Instagram has on them, both to comply with new European data-privacy regulations and to satisfy increasingly privacy-sensitive users around the world," according to the tech news website.
Some users who used the tool had their passwords included in a URL in their web browser, meaning others could have seen the password if they had been using the feature on a shared computer or on a compromised network. The passwords were also stored on Facebook’s computers.
“This is very concerning about other security practices inside of Instagram because that literally should not be possible. If that’s happening, then there are likely much bigger problems than that,” Chet Wisniewski, a principal research scientist at security firm Sophos, told the Information.
Instagram said it has fixed the bug and deleted the data from Facebook’s servers, but it’s advising users to change their passwords as a precaution.
The security breach comes on the heels of several others that hit Facebook, including one in September which compromised the information of 50 million users.
The Information previously reported that Facebook may be looking to purchase a cybersecurity company to boost its defenses against hackers and prevent future security breaches, as well as increase its trustworthiness in the eyes of consumers, investors, and government regulators.