Instagram Bug Gives Man Access to High School Girl's Account

Many social media apps and services let you sign in with Facebook. But only one — Instagram, owned by Facebook — assumes that you're using the same email address for both services.

And as Mashable has learned, that has led to at least one embarrassing situation — where a man in his late 20s unwittingly found himself with access to the Instagram account of a high school girl.

See also: 6 Creative Hacks for Your Smartphone

San Francisco resident Michael Wagner (no relation) created an Instagram account shortly after the service launched in late 2010. He never posted to the account, never really checked it, and ultimately forgot about it.

When friends encouraged Wagner to re-open his Instagram at a brunch a few weeks ago, Wagner pulled up the app but couldn't remember his username or password. He wasn't sure which email he had used to sign up. Instead, he hit the "Register With Facebook" button on the login screen in hopes of signing in automatically.

The account opened, and Wagner, who had never posted a photo, was surprised to find more than 100 photos posted and more than 500 followers of the account. It didn't take long to realize he was in another user's account.

The account was operated by a girl who looks to be in high school. Wagner, 27, now had access to her photos, messages, and friends list.

It appears that the girl — who has had control of the account since its creation, according to Instagram — signed up for the service using Wagner's email. (They share initials, so it's likely this was a typo.)

Instagram does not require users to verify their emails when they sign up, so it's possible she never even realized she'd used an email she didn't control.

The company says this issue is "rare," but won't specify how frequently people land in another user's account. It appears that

Instagram assumes that whoever owns a Facebook account's email address must also own the Instagram account associated with that same email.

Instagram assumes that whoever owns a Facebook account's email address must also own the Instagram account associated with that same email. It's a poor assumption considering the vast number of users on both services.

What we don't know is how many others have signed up on Instagram using the wrong email address — accidentally or purposely — and either locked out the rightful email owner from signing up, or worse, accidentally given the email owner access to all of their photos and messages.

Companies such as Twitter, Google, and even Instagram's parent, Facebook, are offering existing users two-step authentication to ensure a password alone won't lead to the loss of their private information. On these services, setting up an account also requires verification of some sort.

On Twitter, new users can create an account but can't access private messages or alerts unless they verify their email. Facebook requires users to verify their email before sending messages.

Instagram encourages users to verify their emails when they sign up, but it's not required. This makes it easier for people to sign up — but evidently it doesn't help keep users safe.

With the addition of private messaging to the Instagram app in December, users don't just have their pictures to worry about — but personal notes too.

Wagner raised the issue with Instagram via the app's "Report A Problem" link as soon as he discovered it. He didn't hear back from the company for over a week, and was still able to access the account the entire time.

He even changed the password, but it didn't boot the high school user out — Instagram users retain access the app after a password change if they were already using it. Since the girl was already logged into the app on her phone, she would never even know the password had been switched.

Instagram is now aware of the problem and working to fix things, but isn't promising that any form of authentication will be required.

Here's what an Instagram spokesperson told Mashable:

"As part of our work to help make Instagram a safe and secure community, our sign-up flow encourages people to confirm their email address when they create an account. As always, registering your account with an email address you control is an important part of keeping your accounts safe on Instagram and other services you use."

The company is working to build an easier alert system for users who may find themselves in another user's account, the spokesperson says, but that's all. Wagner, who brought the issue to Mashable and never posted on behalf of the other user, has since been disconnected from the account.

Mashable was unable to contact the girl posting to the account.

The obvious fix for Instagram: requiring email verification for users who create a new account. This might slow down the app's rate of growth a little — but it would also ensure that another user can't access your profile.