Instagram is warning users of popular social media management tools like Buffer and Hootsuite that their accounts have been 'compromised'

Steve Jennings/Getty Images for TechCrunch

Instagram boss Adam Mosseri.

• Instagram is sending warnings to users of popular social media management services telling them their accounts have been "compromised."
• Instagram is trying to crack down on malicious and rule-breaking behavior after a series of Business Insider investigations into companies that openly flouted its rules prohibiting practices like data scrapping.
• Now, users of popular services including Buffer and Hootsuite have been sent messages telling them they've used rule-breaking tools.
• But the companies in question strongly deny any wrongdoing, and argue that Instagram has made a mistake.
• Click here for more BI Prime stories.

Some of the biggest social media management apps around are getting caught up in Instagram's attempts to crack down on rule-breaking and malicious behaviour.

The Facebook-owned photo-sharing app is warning users of popular services like Buffer and Hootsuite that their accounts have been "compromised," that they've used rule-breaking tools, need to change their passwords, and may get their accounts restricted if they continue. 

The messages have baffled both ordinary users and the companies in question, who strongly deny any rule-breaking - suggesting it may be a bug. 

The warnings come as Instagram tries to tackle malicious behaviour on its platform, in the wake of a series of Business Insider investigations into companies that have illicitly scraped users' data and flouted Instagram's rules with impunity.

However, it's not clear whether Instagram actually believes the apps in question are violating its rules, or if it has issued these warning messages in error. Three of the companies affected - Buffer Hootsuite, and Planoly - told Business Insider they believe a technical issue or bug is to blame. All three are official Facebook Marketing Partners (FMPs), an exclusive category of Facebook-vetted advertising and marketing services, and continue to be listed in Facebook's official directory as of this writing.

The affected products are popular among brands and media companies who use them to manage their social media presence and marketing campaigns. Buffer for instance, which is used by Business Insider, provides a unified dashboard to schedule posts across various social media accounts such as Facebook, Twitter, LinkedIn and Instagram.

If the warnings were a mistake, it raises questions as to the accuracy of Instagram's attempted crackdown on scrapping, and whether innocent users and companies are getting caught in the cross-fire.

Reached for comment, a Facebook spokesperson did not say whether the messages were a mistake. In a statement, they said: "Automated activities, like creating or accessing accounts, go against our policies. We're doing a detailed review of third party apps to combat these behaviors. As a precaution, we've also asked people who may have given their Instagram credentials to apps to change their passwords."

Instagram is trying to crack down on malicious activity

Over the past two weeks or so weeks, some people using Instagram have been greeted with an ominous message telling them: "Your Account was Compromised." 

The message alleges that the user "shared your password with a service to help you get more likes or followers, which goes against our Community Guidelines." It tells them that they need to change their password to access Instagram again, and that if they continue to break the rules Instagram might take further action against them.

Instagram has been sending some users a variation of this message since November 2018, as part of an effort to crack down on "inauthentic behaviour" like bots and auto-liking programs. However, this most recent message that also locks users out until they change their passwords seems to be a new effort - Business Insider could not find any examples of it before the start of September 2019. (An Instagram spokesperson did not respond to a question on when it began.) 

It comes after Business Insider found multiple companies that openly flouted Instagram's rules - soliciting users' login details, scraping millions of users' data, offering automated like and follow systems, and other prohibited behavior. In response, Instagram has started to clamp down on third-party apps, issuing cease and desist letters to alleged offenders and kicking off a review of all of its Facebook Marketing Partners.  

Affected companies say a bug is to blame

Now, users of services like Hootsuite, Buffer, and Planoly are getting targeted by this warning. All three deny any wrongdoing, and believe a bug on Instagram's end is to blame. 

Buffer spokesperson Hailley Griffis said that the company has heard of about 200 cases of the issue happening, and that it has reached out to Facebook about it. "As a partner, we have been approved by Facebook/Instagram and operate within their Community Standards. We do not support the purchase of likes or followers," they said. 

In a statement, Hootsuite spokesperson Samantha Falk said: "We have recently been made aware of an Instagram technical issue that has impacted some of our customers using Instagram on Hootsuite. We are working closely with Instagram to resolve the issue as quickly as possible. We apologize for any inconvenience this has caused our customers."

And a member of the Planoly support team said they had been told Instagram is "aware of the bug." 

"We have reached out to Instagram over a week ago and they are aware of the bug. This Instagram bug is affecting a few random accounts on Planoly and other 3rd party apps. They have escalated the issue and are actively looking into it," they said in an email.

"We are official Instagram Partners and use their official API. All logins and authentications that we use are through Instagram and Facebook's Graph API, and as an official marketing partner of Instagram and Facebook, we have to follow and abide by their rules and guidelines. Thus, we do not have or store any of our users' login information, or put them at risk of having their sensitive information compromised."

Instagram won't say if the messages are sent in error

Reached for comment, a Facebook spokesperson did not directly respond to questions as to whether users of these services had received the messages in error.

They said they were still in the process of investigating what caused the messages, and reiterated in a statement that the messages appear if a user gives their login details to a third-party service (it is against Instagram's rules for people or third-party companies to request another user's password).

They said: "Automated activities, like creating or accessing accounts, go against our policies. We're doing a detailed review of third party apps to combat these behaviors. As a precaution, we've also asked people who may have given their Instagram credentials to apps to change their password."

Business Insider tested adding an Instagram account to Buffer, and it redirected us to Instagram's official login page, rather than soliciting the account login details - another suggestion the messages were sent in error. (Business Insider does not have access to Hootsuite or Planoly, and was unable to test those services directly.) The fact that all three remain in the FMP directory suggest this is unintentional; when Instagram has taken action against rule-breaking company in the past, it has stripped them of their FMP badge.

The warnings, if they are indeed being inaccurately displayed, are a further indicator of Instagram's ongoing struggles to accurately enforce its rules for third-party developers on its platform. They would highlight how even its attempts to rectify matters can produce further mistakes, cause confusion for ordinary users, and risk damaging trusted partners' reputations. 

On the other hand, if the warnings are legitimate and Instagram does believe the companies have violated its rules, it would mean Instagram has historically failed to detect or take action against illicit behaviour conducted by some of the biggest and highest-profile companies on its platforms - raising questions as to what else may have gone undetected over the years.

Got a tip? Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at rprice@businessinsider.com, Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.) You can also contact Business Insider securely via SecureDrop.

Read more:

• Instagram's lax privacy practices let a trusted partner track millions of users' physical locations, secretly save their stories, and flout its rules
• Mark Zuckerberg's personal security chief accused of sexual harassment and making racist remarks about Priscilla Chan by 2 former staffers
• Facebook says it 'unintentionally uploaded' 1.5 million people's email contacts without their consent