If you have an Instagram account, you may want to take some extra precautions and do what you can to lock it down.
Social media hacks are not new we regularly hear of various instances where people lose access to their Facebook, Twitter, or other accounts. Even in the case of Instagram, we frequently hear about different celebrities suffering from account compromise. This time, it is not about one or two accounts. Rather a massive campaign affecting numerous Instagram users. What’s more upsetting for those affected is that the hackers have also been changing account recovery emails.
Victims have reported being unable to access their accounts after all the information such as email address, profile picture and even associated Facebook account was changed. The contact information associated with these stolen accounts now points to emails with a .ru Russian domain. Bizarrely, the hijacked accounts are having their images replaced with random stills from movies and TV shows.
Details of the hack were first uncovered by Mashable which discovered that even those users with two-factor authentication turned on were susceptible to the attack. Many disgruntled users took to Twitter to reveal they had been targeted in some cases losing access to thousands of photos and followers.
Instagram has security tips and advice about hacked accounts on its website.
It has also published a blog saying it continues to investigate the issue.
The hackers have so far made no demands and the affected accounts appear otherwise untouched.
There are tweets describing the hack dating back to July.
There are suggestions that the attack is originating from Russia, because of the mail.ru email address but it is easy to register for an account with the service in many countries - the .ru suffix remains regardless of the geographical location of the owner.
Some reports suggest that at least one of the hacked accounts may have had the extra security measure two-factor authentication (2FA) enabled, although this is currently unconfirmed.
With 2FA a code is texted to the account holder's phone before they can complete the log-in process.
It is an opt-in service.
Security experts advise that 2FA should be activated wherever possible.
“While it’s unclear how these hackers defeated Instagram’s 2FA, it likely has to do with the spate of SIM hacking that has seen several prominent websites being hacked,” said Bill Evans, vice president at One Identity, via email. “To thwart this scenario, websites need to build support for app-based 2FA…It’s far less susceptible to hacking than SMS-based hacking, which depends on a second factor code being sent via SMS to the user’s phone. As previously reported, it appears that Instagram is moving in this direction – which is great.”
Comparitech.com’s Munson added: “While 2FA is a very good secondary line of defense, it is not infallible. Typically, it can be circumvented via phishing – either tricking someone into revealing the 2FA identifier or, far more likely, my getting them to login to a fake version of the site they were intending to visit. To protect against such account hijacks on Instagram, people should definitely employ two-factor authentication, but they should also be careful to only access the site through the app (only downloaded from an official app store) or by typing the URL directly into their browser.”