Instagram introduced Download Your Data option last April, to let the user’s know what are the data collected. The feature was implemented in Instagram for GDPRcompliance.
The bug was found in the Download Your Data tool, if the user uses the tool to download the data then it will be sent their password as a plain text in the URL and the passwords are stored on the Facebook servers.
A security researcher told Verge, “the Information that this would only be possible if Instagram stores its passwords in plain text, which could be a larger and concerning security issue for the company. An Instagram spokesperson disputed this, saying that the company hashes and salts its stored passwords.”