Apple, Google Pull Unofficial Instagram App That Harvests Usernames And Passwords
An app called “Who Viewed Your Profile — InstaAgent” claimed it could tell users who had been checking them out. Instead, says iOS developer David Layer Reiss (via Apple Insider), the app’s code revealed that it had been storing usernames and passwords and sending them to a remote server:
He also found that some InstaAgent users were seeing spam photos posted to their Instagram timelines, as the app had all the credentials necessary to do so:
Both Apple and Google have removed InstaAgent from their stores, but users who already have the app installed could be affected. Reiss estimates that about 500,000 people could have had their Instagram account details compromised.
Neither Apple nor Google has commented yet, but Instagram says it will be emailing users about InstaAgent, and for now, advises users to get rid of it.
“These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user’s accounts in an inappropriate way,” the social media platform said in a statement to the BBC. “We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password.”
It’s also a good idea to change your password on any other sites or apps where you use that password with the same username, or one that’s very similar to it.
Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.