The Instagram tool that allows users to download a copy of their data from the social media platform had a security flaw that accidentally leaked passwords in plain text. In April, Facebook-owned Instagram rolled out a Download Your Data tool that sends users a file containing all the pictures, comments, and other information that they have shared on the platform. The feature was rolled out to comply with new data privacy regulations in Europe and to address the privacy concerns of users around the world amid Facebook’s Cambridge Analytica scandal.
Unfortunately, the Download Your Data tool contained a security issue that also sent users their passwords in plaintext in the URL, The Information reported. In addition, for some reason, the passwords were also stored on Facebook’s servers, though they have since been deleted.
Instagram says that it has since fixed the feature so that passwords won’t be exposed, and told users that they should change their passwords, as a precaution.

An Instagram spokesperson says that “if someone submitted their login information to use the Instagram ‘Download Your Data’ tool, they were able to see their password information in the URL of the page. This information was not exposed to anyone else, and we have made changes so this no longer happens.”