An Instagram hack is spreading across the internet, with increasing numbers of victims finding their accounts hijacked and personal details altered — and account recovery so far impossible.
Starting in the beginning of the month, people started experiencing random log-outs on their accounts; from there, their handles, avatars and personal details like their bios have been deleted. On top of that, the accounts are linked to a new email address, thus subverting the account recovery process.
Oddly, prior, legitimate posts haven’t been deleted, nor have new posts appeared on the hijacked accounts’ timelines. This has led at least one security researcher to speculate that the malefactor is on a quest to build a botnet.
“Although no one seems to know for sure, I assume the hacked accounts were intended to be used as spambots,” said Paul Bischoff, privacy advocate at Comparitech.com, via email. “Even if some victims regain control of their accounts, many of those affected have likely quit the platform or just won’t go through the trouble, adding soldiers to the spambot army.”
The threat actor remains unknown; while the newly linked email address is a .ru Russian domain, that could be a red herring meant to point attribution away from the true perpetrator.
“Having a hacked account associated with a Russian email address may well signify that the attacker is a resident of that country, but it is certainly not a foregone conclusion – email addresses are easily spoofed, either to conceal identity or to encourage finger pointing toward the wrong place,” said Lee Munson, security researcher at Comparitech.com, in an email.
Many complain that they are getting no response from Instagram when they ask for help in gaining control of their accounts.
“@instagram this is the 6th time I’ve reached out and no response… my account has been hacked and I need it recovered!!,” said one disgruntled user, @brycehendrixx.
Others complained of deeper issues: “@instagram someone hacked my account and changed my username and pword but is keeping all of my pictures up as if it is them,” tweeted Alyssa Rogalski. “You rejected my report and said they did not violate any of your guidelines, so youre saying it’s ok if someone hacking and impersonating me?”
For its part, Instagram – which is owned by Facebook – issued a boilerplate media statement: “We work hard to provide the Instagram community with a safe and secure experience. When we become aware of an account that has been compromised, we shut off access to the account and the people who’ve been affected are put through a remediation process so they can reset their password and take other necessary steps to secure their accounts.”
However, as mentioned, account recovery doesn’t seem to be on the table for most victims.
“My account has been hacked for 3 days now and no one has reached out,” tweeted one affected user, Liz Teal. “Email, phone number, username and profile picture changed- so you cannot go through the steps they have in place on their FAQ page. Unbelievable!”
Threatpost has reached out to Instagram directly and will update this post with any further details or responses.
“There’s not much to go on now, and Instagram has not stated how or why these attacks occurred,” said Bischoff. “While it is possible that hackers breached Instagram to take over these accounts, I think it is more likely that the victims’ login credentials were stolen by malware or compromised in a phishing attempt. The original report does not specify whether victims are Android or iOS users, which would have helped to pinpoint the cause.”
Perhaps most perplexing, one victim told Mashable that he had two-factor authentication (2FA) enabled – and was still hacked. There could be straightforward explanations for this, according to researchers.
“While it’s unclear how these hackers defeated Instagram’s 2FA, it likely has to do with the spate of SIM hacking that has seen several prominent websites being hacked,” said Bill Evans, vice president at One Identity, via email. “To thwart this scenario, websites need to build support for app-based 2FA…It’s far less susceptible to hacking than SMS-based hacking, which depends on a second factor code being sent via SMS to the user’s phone. As previously reported, it appears that Instagram is moving in this direction – which is great.”
Comparitech.com’s Munson added: “While 2FA is a very good secondary line of defense, it is not infallible. Typically, it can be circumvented via phishing – either tricking someone into revealing the 2FA identifier or, far more likely, my getting them to login to a fake version of the site they were intending to visit. To protect against such account hijacks on Instagram, people should definitely employ two-factor authentication, but they should also be careful to only access the site through the app (only downloaded from an official app store) or by typing the URL directly into their browser.”