When using the new feature, some Instagram users’ passwords were displayed in the URL, which was then also stored on Facebook’s servers—a bigger issue for those using a shared computer or compromised network, according to The Information. Facebook already notified users who were affected.

“Temporarily, if someone submitted their login information to use the Instagram ‘Download Your Data’ tool, they were able to see their password information in the URL of the page. This information was not exposed to anyone else, and we have made changes so this no longer happens,” an Instagram spokesperson told Fortune.

The tool has since been updated so the problem should no longer occur, and Instagram is deleting any logged passwords. Users affected are encouraged to change their passwords and clear their browser history. Instagram added that the problem was discovered internally and only a small number of users were affected by the issue.

But it’s still a troubling update, as Instagram and parent company Facebook fight back against a seemingly unending stream of scandal and security breaches.