InstaAgent, an app which let you track who visited your Instagram account, could have nabbed your username and password for the service, mobile developer Peppersoft revealed.
The app was available in the official Apple and Google app marketplaces and had racked up between 100,000 and 500,000 downloads on Google Play before being exposed.
Ars Technica said this highlights a weakness in both the App Store and Google Play vetting processes.
Peppersoft showed that InstaAgent sent Instagram username and password details to its servers, which the app used to post an advertisement for itself to users’ feeds.
Google and Apple have pulled the app.
BBC reported that the developer has apologised for posting ads to users’ feeds without permission, claiming it happened for reasons he didn’t understand.
The InstaAgent developer said they did not store user credentials.
Instagram has advised users who used the app to delete it and change their password.