Social Captain, a social media booting service which helps users grow their Instagram follower count, has leaked thousands of Instagram usernames and passwords for potential hackers.
Reports indicate that Social Captain stored passwords of linked Instagram accounts in unencrypted plaintext. A website vulnerability allowed anyone access to any Social Captain user’s profile without having to log in and access their Instagram login credentials.
A security researcher has provided a spreadsheet of about 10,000 scraped user accounts.
Social Captain said later it had fixed the vulnerability by preventing direct access to other users’ profiles. Instagram said the service breached its terms of service by improperly storing login credentials.
The stolen information was later dumped into a database and reportedly sold for $10 per record via Bitcoins.