First of all how the fuck you are able to tell that MY password is one of many that have been stolen? How you are able to get those stolen passwords AND WHY YOU ARE EVEN ABLE TO COMPARE THEM?! Are you storing as plain text or just randomly salt all stolen passwords and chceck if they are in your base?

Now that is an INSTAdelete.

@sabbonaut he's asking how Instagram knows the passwords in their database.

They probably compare them by hashing with their own encryption system.

Even if the other site uses another hashing solution often the hashing solution is not that secret, any good hashing does not need to be kept secret.

They can then, when you login use that solution to generate a hash to be matched against those hashes.

And sometimes that other site used so bad hashing that the dump is the real password in which case they can use it and hash it just as they do when you login.

There are loads of clear text dumps on the web and the dark web.

https://medium.com/4iqdelvedeep/...

With this in mind, I think cross checking is a pretty reasonable thing to do.

I *hate* passwords.

There are several ways of checking that don't implicate them for storing cleartext passwords; however, their wording absolutely does.

Correct me if I'm wrong, but your password when sent to the server for verification is still in plain text. Can't they compare it with the dump then? That doesn't mean your password is stored in plain text.

Maybe only a check if the username has been used before on leaked sites?

I'm with @Root on this one only keep in mind that Instagram is owned by Facebook.

Facebook is integrated within the biggest mass surviellance program ever created so I doubt that they hash passwords or if they do that, don't make them available for either the nsa or law enforcement agencies at request.