Social Captain Instagram Account Exposed And Experts Reactions

Social Captain, the social media boosting service, which bills itself as a service to increase user’s Instagram followers, has exposed thousands of Instagram account passwords after storing them in unencrypted plain text.

Experts Comments

February 03, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
Social influence is almost as valuable as real currency these days, and there is no shortage of services which promise to boost individuals social presence and following. However, social media accounts can be worth a lot, particularly those belonging to influencers, some of who can charge many thousands per post. Therefore, it's vital for companies that provide such services to have security at the forefront of any app they develop to ensure the safety of its users. From a user.....Read More
Social influence is almost as valuable as real currency these days, and there is no shortage of services which promise to boost individuals social presence and following. However, social media accounts can be worth a lot, particularly those belonging to influencers, some of who can charge many thousands per post. Therefore, it's vital for companies that provide such services to have security at the forefront of any app they develop to ensure the safety of its users. From a user perspective, they should take all measures available to secure their social media accounts. This includes turning on failed logon or new login notifications and enabling 2FA. Most importantly, users should never share their passwords for one platform with another. Even if it is to boost their social presence. A good service would not ask for users password and rather link accounts via OAuth or similar.  Read Less
February 03, 2020
Keith Geraghty
Solutions Architect
Edgescan
There is so much peak "millennial" in this story. Unfortunately, social status has become such a talking point of modern life, so much so that users and companies do whatever they can to improve their presence on social media. This also means that security may take a back seat. This application was certainly not ready to process data from a such a large social media platform when it stores the username and passwords in plaintext, an issue that would be identified using a basic vulnerability .....Read More
There is so much peak "millennial" in this story. Unfortunately, social status has become such a talking point of modern life, so much so that users and companies do whatever they can to improve their presence on social media. This also means that security may take a back seat. This application was certainly not ready to process data from a such a large social media platform when it stores the username and passwords in plaintext, an issue that would be identified using a basic vulnerability scan. The actual bug is interesting, as it highlights how easily security can wrong when facilitating third party integration. In this case, it was integration with a third party email service. In my experience, this represents one of the toughest areas from a security testing scenario. What's exposed, who's scope does it fall under, do I have the right to test it?. API's and other methods of integration have greatly enhanced the web experience for users, but it's time for organisations to realise that security needs to be as important as user experience. API's and third party libraries should be mapped out and tested with the same depth and rigour as the application and network that feeds them. A "Full-stack" approach needs to be taken. As always, it will be interesting what action with be taken from GDPR, CCPA in relations to this breach.  Read Less
February 03, 2020
Stuart Sharp
VP of Solution Engineering
OneLogin
It is disappointing that in 2020 we are still seeing service providers failing to follow even the most basic steps to secure their customers’ data. The vast majority of websites should never need to store a user’s password (instead they are stored as a one-way, non-reversable hash). The Social Captain use case is special -- they need the user’s clear-text password to log into their customer’s account. Given the sensitive nature of this architecture, it is all the more surprising that.....Read More
It is disappointing that in 2020 we are still seeing service providers failing to follow even the most basic steps to secure their customers’ data. The vast majority of websites should never need to store a user’s password (instead they are stored as a one-way, non-reversable hash). The Social Captain use case is special -- they need the user’s clear-text password to log into their customer’s account. Given the sensitive nature of this architecture, it is all the more surprising that they failed to encrypt users’ passwords by default — and it appears that they continue to store these passwords in the clear. Service providers have a duty of care to their users to follow security best practices — discovery of a vulnerability like this should prompt a service provider to go back to the drawing board and have a radical rethink their approach to security.  Read Less
February 03, 2020
David Emm
Principal Security Researcher
Kaspersky
While it’s understandable that people might want to boost their Instagram following, this shouldn’t be at the expense of their online security. The fact Social Captain – or indeed any online service – stores login credentials in plain text is of great concern. In this particular case it’s even scarier to think that someone else could view these credentials without even having to log in to the Social Captain site. Anyone who has signed up to Social Captain should change their.....Read More
While it’s understandable that people might want to boost their Instagram following, this shouldn’t be at the expense of their online security. The fact Social Captain – or indeed any online service – stores login credentials in plain text is of great concern. In this particular case it’s even scarier to think that someone else could view these credentials without even having to log in to the Social Captain site. Anyone who has signed up to Social Captain should change their Instagram passwords.  Read Less
February 03, 2020
Bob Rudis
Chief Data Scientist
Rapid7
Individuals should think twice before letting a third-party site, service, or application use actual credentials for things like Twitter, Instagram, Facebook (et al) since such a requirement inherently means those credentials will be stored in a way to be reused (i.e. the passwords will not be hashed). Furthermore, the OAuth standards were developed to enable support for third-party workflows without the need to give unrestricted access via the use of user-credentials. If a site's API does not.....Read More
Individuals should think twice before letting a third-party site, service, or application use actual credentials for things like Twitter, Instagram, Facebook (et al) since such a requirement inherently means those credentials will be stored in a way to be reused (i.e. the passwords will not be hashed). Furthermore, the OAuth standards were developed to enable support for third-party workflows without the need to give unrestricted access via the use of user-credentials. If a site's API does not provide sufficient functionality these third-party services should work with the primary application — i.e. Social Captain should have worked with Instagram to have whatever functionality they needed baked into the API-proper vs. bypass these safety measures by requiring user-credentials. Hopefully this will be a learning opportunity for other third-party services who still rely on user-credentials for access and instrumentation to services like Twitter, Instagram, or Facebook.  Read Less
February 03, 2020
Jake Moore
Cybersecurity Specialist
ESET
Instagrammers need to be certain that they haven't used the same password for their Instagram account and other online accounts. Hackers create tools to re-use passwords stolen in data breaches like this, which is known as 'password stuffing'. It would also be wise for all Instagram users to check that they have two factor authentication implemented, as this makes password stuffing attacks much harder for cyber criminals to carry out.
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.