Recently I was contacted by a friend, let’s call him Greg, who has lost access to his Instagram account, not once, not twice but three times. It turns out that in August, thousands of people began having issues logging in to their Instagram accounts as someone had accessed their account and changed the email address linked to the account and also their password.
Greg first noticed his problem back in August, same time as a lot of other people. Greg tried to contact Instagram about the problem but appeared to be caught in a loop of automated emails from the site. The person who accessed his account changed the email address to one ending in .ru (what looks like a Russian email address). They also changed his username to something else and deleted his Bio. Greg then created a new Instagram account, only for the same thing to happen again.
How Easy is it?
I decided to see how easy it is to change an email address on my Instagram account. Turns out, very. Ok, so I know the password for my Instagram account but surely there are checks in place before an email associated with the account is changed? Turns out there isn’t. All you need to do is sign in and select Edit profile and amend the email address to any address that you want. Instagram then handily sends an email to that account asking you to confirm the email address.
Once this has been done, the attacker can then change your password without your knowledge and do with your account as they please. When you try to log in to the account and click the forgotten password link, the reset email now gets sent to the new email address and not your email address. In the case of Greg, the attacker does not appear to be making any new postings but has changed his user name and followed a large number of other accounts. Greg no longer has access to his account or any of the pictures that he has posted.
What about Two Factor Authentication?
Greg decided to set up a new Instagram account and this time he decided to add some security measures. Quite rightly, Greg turned on Two Step Verification on this new account. I would recommend that Two Step verification is turned on for all of your accounts. However, this does not appear to have been enough for Greg (or many others from looking on Twitter).
Early one morning last week, Greg received an email saying that Instagram had noticed a log in from a new device. It would appear that someone in Australia had attempted to log in to his account.
This email was quickly followed by another email stating that his password has been reset. Greg also received a text message at this time with the authentication code for two step verification, but as he was asleep at the time, he never logged in.
So, it would appear that even with two step verification turned on, this is still not keeping the attackers out of the accounts.
How is this possible?
Although two-factor is vital in helping to prevent unauthorised access to accounts, it is not 100% fool proof. There are several different methods that can be used to bypass this, some trickier than others, particularly when services use text message-based two-step authentication. One method is to clone the SIM card that is attached to the account. In this instance, I am reasonably confident that this has not happened. Principally due to the number of people that appear to be affected.
Another way of bypassing the authentication step would be by using phishing techniques. This would require the user clicking on a specially crafted link and then signing in to their Instagram account and entering the one-time code. The attacker can then do some ‘magic’ to ensure that they can access the account using those details. This seems a more plausible cause, but I have had a look at Greg’s emails and again, I am not 100% confident that this is the route that the attackers have taken.
So that leaves some other method that the attackers are using. If anyone has any ideas I would be delighted to hear them.
Why are they doing this?
There are a number of reasons that attackers are trying to take over accounts. One may be to try and sell the Instagram page on one of the many sites that offer accounts for sale. An account that is active with a number of followers already set up will sell for more than one that has been recently set up.
Another reason may be to send out phishing links to both the general population and or the followers of those accounts.
Thirdly, we have heard a lot about fake accounts spreading ‘fake news’. Perhaps, these accounts are being lined up to start spreading misinformation of some kind.
What to do about it?
The first thing to do is to make sure that you are using a unique and strong password on your account. Even though some of the accounts that have been taken over have been using Two-Factor, it is still important to have this turned on. Instagram now allows users to have Two-Factor authentication that does not rely on Text messages. This is a better option than the traditional text-based authentication. It can be found in the settings on the Instagram app.
Go to settings, Two-Factor Authentication and click the Authentication app option.
Secondly, check on your account if any ‘Third Party’ apps have access to your account. This needs to be done on the website rather than the phone app. (Well I couldn’t find the option on the app!) Again, go to settings and select Authorized Apps. This will list any third party applications that have access to your Instagram account. Delete any that you do not recognise or no longer use. It may well be worth doing this on your Facebook page also. This is under the “Apps and Websites” section in your settings.
What is Instagram saying?
Instagram have stated that they are aware that a large number of accounts that people are having issues with, however that was way back in August. Now, in October, we are still seeing the same pattern of account takeovers happening.
Some of these accounts may have initially been compromised due to using weak passwords. I have also seen on Twitter that some people are claiming that they have also lost access to other accounts at the same time. This MAY be due to them using the same password on several different services. But there does also appear to be an issue with the Two-Factor authentication process. (But please, keep it on).
Chief Ethical Hacker Gerry Grant
For more information and advice please email firstname.lastname@example.org