If You Downloaded ‘InstaAgent’, Change your Instagram Password Now


Did you happen to download and install InstaAgent from the App Store recently? If you did and logged into the app with your Instagram password, your credentials have been compromised. The malicious app (developed by a “Turker Bayram” a month ago) was one of the top free apps in Canada and the U.K., and evidence has proven it harnessed user logins.

You can see the people who looked your Instagram profile !

InstaAgent application research your profile for the people who views your profile.
App analyses your followers actions with your profile then makes a list for you.

App can show you maximum 100 persons. This app sorts list order by view.

You must have an Instagram account to use this application.
This app tries to make most correct list for you.

Screen322x572 39 Screen322x572 40

The discovery was made by @PeppersoftDev David L-R (via MacRumors), who discovered usernames and passwords were being sent in clear text to a remote server. The app, titled “Who Viewed Your Profile – InstaAgent”, was also available on Google Play, and affected the latter’s users as well.

Google was quick to pull the app from Google Play earlier this afternoon, while Apple followed suit a couple hours later.

The major issue with this privacy breach is if your Instagram login and password is also used on other websites, you have a security SNAFU on hand. It’s probably best to delete InstaAgent, change your Instagram password and also any other sites that may use the same login. This is why it’s crucial nowadays to use a password manager like 1Password to create unique passwords for every site you login to nowadays.

Not sure how this made it past Apple’s strict App Store approval process, but those affected by this breach probably aren’t too happy right about InstaAgent right now.


  • Stefan

    I don’t think this app is malicious on purpose. No developer/hacker would send that kind of information over the wire unencrypted. It just does not add up. If this was a truly malicious app developer would hide the fact that he/she is stealing passwords better. I am thinking that he/she is using some kind of web service that is doing the logging for her/him, and with being an inexperienced developer, he/she sends the logging data in plain text.

    Maybe I am wrong, but this is the only way it ads up in my opinion.

  • John

    I wonder whether the app actually worked, accurately creating a list of profile viewers, and for whatever reason the dev failed to encrypt usernames and passwords, or if the login information was used to skim the friends list, create a fake list of profile views to facilitate sharing the app with others, and then fail at masking the malicious intent?

    Maybe they just didn’t think it would be necessary to use encryption? No need to protect it if you are stealing it.

  • Stefan

    I agree about the first point. I think that app never actually did what it said it does. About encryption, it is not about protection of the data being stolen. It is about hiding what you have stolen. What they did is rob a bank and then walk down the street with bags of cash. That just does not make sense to me. Even a stupidest bank rober would not do something like that.