Instagram's new Photo Map, which lets approved followers browse pictures by location, is letting Android users view private photos without being approved. As Cult of Mac reports, the iOS version doesn't show unapproved users the Photo Map for people with privacy settings turned on, but the Android version mistakenly allows users to bring up the geotagged map and exposes any photos that have been added to it. We've tested this for ourselves, and while the iOS app is working correctly, the Android app indeed shows the maps and photos of private users. This contradicts Instagram's policy, which says that "private users’ images, even when geotagged, are hidden from the public."
From what we can tell, photos are only compromised for people who have both updated Instagram and turned on Photo Map, which they are prompted to do after the update. That means if you're a private user on any platform, you'll probably want to hold off on using Photo Map or even updating until the problem is resolved. If you've already turned it on, photos can be removed easily, though there's not a simple way to toggle it off. We've reached out to Instagram and will update with any reply. While the bug shows up only on Android, this affects users on either app, since photos from the iOS app can still be seen on an Android device.
Update: We've just heard back from Instagram, who says that "the issue has been resolved." Sure enough, although you can still click on the "Photo Map" button for a private user, when the map loads you're simply presented with an empty globe and a "Tap to retry" button.