Rogue app compromises 500,000 Instagram accounts

InstaAgent collected and sent users' unencrypted account details to unknown servers before it was spotted

An app that stole up to half a million Instagram users' account details has been pulled from the Google Play Store and Apple's App Store.

Developer David Layer-Reiss, of Peppersoft Development, discovered that "Who Viewed Your Profile InstaAgent" was collecting login credentials to users' Instagram apps, and sending them, unencrypted, to the developer's server.

Instagram account usernames and passwords were then relayed to unknown servers in plain text, as Layer-Reiss demonstrated with a screen capture shared on Twitter.

It was also responsible for a fair bit of shameless self-promotion, spamming users' Instagram feeds with advertisements for the app without their permission.

He shared his findings in a series of tweets this morning, speculating that the developer had gained access to over 500,000 Instagram accounts.

The free app, which promised users the ability to see who was viewing their Instagram profile, topped the UK and Canadian stores before it was removed earlier today.

A number of apps advertising similar features still exist despite warnings from Instagram to avoid them and attempts to regulate third-party clients.

Apps offering an influx of new followers, claiming to sell likes, or revealing profile viewers generally do not work because information that is not shared with users is not shared with third-party applications, either. In most cases, they simply violate Instagram's terms of service.

To confuse things further, a legitimate app called InstaAgent is available for iOS, this one created by Philadelphia-based developer Craig Pearlman. Pearlman has tweeted about the confusion, attempting to differentiate his app from the information-stealing client making headlines. 

With hundreds of thousands likely affected, anyone who has downloaded the app should consider their Instagram account compromised. Users are advised to remove the app, revoke its access on Instagram, change their password, and monitor their account.

For those who have recycled log-in information for other services, it is best to monitor those accounts and reset those passwords as well - and perhaps not reuse passwords this time.

In the mean time, everyone is left wondering what the developer intended to do with half a million Instagram account details.

An Instagram spokesman told IT Pro: "These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user's accounts in an inappropriate way. We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password."

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

3 Mar 2021
Microsoft Exchange targeted by China-linked hackers
zero-day exploit

Microsoft Exchange targeted by China-linked hackers

3 Mar 2021
Malicious ‘dependency confusion’ packages are stealing password files
hacking

Malicious ‘dependency confusion’ packages are stealing password files

2 Mar 2021
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

2 Mar 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021