Millions of Instagram Accounts Were Stored Insecurely by Facebook

Last updated July 13, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Last month, Facebook announced that they had stored millions of user accounts credentials in plain text form, which were also accessible by quite a few thousand of their employees. While Facebook users received this news with chagrin, Instagram account holders thought that they had dodged that bullet. Initially, Facebook estimated the Instagram accounts that were affected to be in the order of the tens of thousands. However, a more in-depth investigation now puts them on the range of millions, so here we go again.

The update that they added onto the month-old security incident announcement writes: “Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”

Facebook has not clarified exactly how many millions were affected after all, probably because they still can’t be certain about that. Moreover, they have declined to comment on when exactly they have discovered these additional lists, so people are naturally assuming that there may be even more. Finally, choosing to update an old post with this additional information instead of publishing a new one dedicated to this discovery is also not the best way to go. Isn’t the discovery of millions of user accounts stored in plaintext readable form sitting in accessible company servers, not a serious enough reason for the release of a dedicated announcement? Apparently, not for Facebook.

If you have an Instagram account and you’re worried about its security, make sure to enable the two-factor authentication option, change your password regularly, and always use a unique, strong password that is a combination of letters, numbers, and punctuation marks. Finally, take full control of your account login sessions, uncheck the “Remember Me” box when using a computer that you don’t own or trust, and think about it twice when a third-party app asks you for Instagram account access authorization. Other than that, there isn’t much else you can do, as if the company behind Instagram is storing your account credentials with such carelessness, you can only wish for good luck.

How are you securing your Instagram account? Share your method in the comments section below, and don’t forget that you have the power to help us spread the news by sharing this post through our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: