Your private Instagram account isn’t exactly all that private and can be easily accessed, downloaded, and shared publicly by your friends/followers.
As reported by BuzzFeed News, all it needs is a simple hack involving basic understanding of HTML and a browser to exploit this security flaw on Instagram. The hack works well on Instagram stories too where the user only needs to analyze the images and videos being loaded on the page after which they have to pull out the source URL. This can be done by inspecting the source code of the web page using an element inspection tool where you head over to the “Img” tab to spot the URL for any Instagram page that you’ve clicked on (doesn’t matter if it’s a 24 hour story or an upload feed image). That’s not it, the source-code grants you access to get URLs for profile photos of other accounts who interacted with that post.
This public URL can then be easily shared with others even if they aren’t logged in on Instagram or do not follow that private account. “It’s worth noting that while Instagram tracks who sees your content on the app, it does not track who is looking at your content via public URLs. In other words, if someone were to publicly share one of your private images or videos without your permission, you would have no idea who had done so or how many people had seen it,” states Buzzfeed. In fact, URL for even the deleted or removed photos from Instagram can be retrieved from the Facebook servers.
Given that Facebook has long been under scanner for user data and privacy, this new security loophole on Instagram further sparks concerns surrounding how and if Facebook is keep a tight monitor on the overall security of these platforms.