The App Store is a pretty well-fenced garden, which means it's big news when someone manages to pull off a heist. But that's what InstaAgent, a third-party app that would let you see who was viewing your Instagram profile while skimming your password, seems to have done.
As noted by developer David L-R on Twitter, the app seems to have been sending usernames and passwords in cleartext to an unknown server, rather than using Instagram's API to log in. The app was then posting spam and third-party images to users' feeds — and who knows what else was being done with the login information.
What's remarkable is InstaAgent's popularity: it's the number one app in its category in the UK and Canada, and also decently popular in the US and Europe, with hundreds of thousands of downloads. It seems to have been pulled from the App Store now, but if you downloaded it, you'd be well advised to go change your password on Instagram (and anything else you used the same credentials for) right the hell now.