Instagram has informed account holders of a security flaw that could have exposed their passwords.

Following the implementation of the General Data Protection Regulations (GDPR) earlier this year, Instagram rolled out a feature for users that allowed them to download all their account data – to see the information that the Facebook-owned company held on them. However, in doing so, users could have involuntarily revealed their passwords, as they were included within the URL generated from this feature and stored on Facebook’s servers.

In a statement, the company admitted: “If someone submitted their login information to use the Instagram ‘Download Your Data’ tool, they were able to see their password information in the URL of the page. This information was not exposed to anyone else, and we have made changes so this no longer happens.”

Reassuringly for Instagram users, the company identified and rectified the issue in house, before anyone else reported it. What’s more, it claimed that the flaw only affected “a very small number of people.”

Not so reassuring, however, was the claim from security researchers that could point to a much wider and more worrying issue. One such expert told The Verge that Instagram could only store passwords within a URL if they’re stored as plain text – which would make them much easier for hackers to access if they breached the Instagram servers. The company has refuted this claim, however, saying that it hashes and salts all stored passwords.

Though the issue has already been solved, Instagram has still asked some account holders to change their passwords as a precautionary measure, even though it doesn’t expect anyone to have accessed the data.

Any users concerned about their password security are advised to change it to something difficult for hackers to guess, and which hasn’t been used elsewhere – as repeated passwords would allow hackers to effectively get a ‘master key’ to every account a user has simply by repeating the credentials.