On Thursday, Facebook revealed that millions of Instagram users' passwords were accidentally stored in plain text on its servers, making them accessible to Facebook employees. If the news spooked you, there are a number of ways to protect your Instagram account after Facebook's announcement.
"As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems," Facebook said in its initial announcement from March. "We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way. On Thursday, Facebook updated its statement to add that it has since "discovered additional logs of Instagram passwords being stored in a readable format," and that "this issue impacted millions of Instagram users."
Bustle spoke with Rebecca Herold, founder of Privacy Professor Consultancy and president of the info security firm SIMBUS 360, and she offered several tips for securing social media accounts, both in light of the recent news and in general.
First up, she suggests you change your Instagram password. Although Facebook said that millions of passwords were exposed, Herold stresses that social media users should change their passwords whenever a security flaw is reported, regardless of how insignificant that flaw may seem in news reports.
"Even if they say, 'oh, you know, we have 10 million people using our system, and only 2,000 of the passwords were compromised,'" Herold tells Bustle. "Go ahead and change your password ... if only a fraction of passwords are compromised, I would go ahead and assume that mine might have been compromised as well."
Facebook said that, according to its internal investigation, none of the exposed passwords were "internally abused or improperly accessed." Nevertheless, Herold says that "it's better to be safe than sorry — especially [if] you have something out there that you would not want the whole world to see."
Herold also recommends using different passwords for different sites and services.
"You should not be using the same passwords for your work ID passwords, for your banking, for your retail — just change the passwords right away," Herold says. "Don't use the same passwords that you use elsewhere." Users should also select passwords that are "as long as possible, and complex, meaning upper- and lower-case [characters]."
Lastly, like many cybersecurity experts, Herold also urges Instagram users to set up two-factor authentication on their accounts. When enabled, this feature requires a user to jump through two hoops before logging in to Instagram: In addition to entering their user name and password, they must also enter in a unique, time-sensitive code that's sent to their phone, either via text message or through an app such as Google Authenticator, before they can log in.
"That way, if someone is trying to use your password to get into your Instagram account, they still would not be able to, because they'd have to do this second authentication step," Herold tells Bustle. "If they don't have something physically with them, like your phone, they won't succeed."