in

My Instagram account was hacked and two-factor authentication didn't help

After almost 40 years in technology, it finally happened. I had one of my accounts hacked. Blast it. The target was my Instagram account. While I’m very active on social networks, Instagram was the one I used the least. Here’s what happened. 

It all started when I got a plausible Instagram message from a friend. His message asked for my help and included a reset link for their account. Rather than asking me to click the link, which I’d never do in a million years, it simply asked me to send him back a screenshot of the message including the link. I thought, “How can I be hacked by sending a PNG image?” After all, it wasn’t a reset link for my account. So I replied with the image. 

Oh foolish, foolish me.

It turns out the combination of the URL on the image and my reply gave them enough information to take over my account. 

Now, even when I saw trouble brewing — an Instagram e-mail came asking me if I wanted to change my phone number to one in Nigeria — I wasn’t too worried. I’d protected my account with two-factor authentication (2FA). While 2FA isn’t perfect, it’s better than anything else out there for basic security.

But, here’s where things went awry. Instagram should have sent me an e-mail with a link asking me to “revert this change.” Instagram didn’t send such a message. Instead, I received e-mails from security@mail.instagram.com that provided a link about how to “secure your account.” This dropped me into Instagram’s pages for a hacked account, which wasn’t any help.

In the meantime, I got another Instagram message telling me that my account was now associated with a  new e-mail account–a garbage Gmail account. Once more Instagram didn’t give me a chance to refuse this change and the message sent me back to the Instagram hacked account page.

Argh!

I followed up with Instagram’s suggestions on how to bring my account back. I asked for a login link from my Android Instagram app. I got one, which didn’t work. Next, I requested a security code. I got one. That didn’t work either, no doubt because — by that time — the account was now responding to its “new” e-mail address and phone number. 

Next up, I verified my identity by providing the email address and phone number I signed up with and the type of device I used when I signed up. I had hoped for this message since I doubt very much there are that many people who sign up for Instagram do so from a Linux desktop! Well, it was a good idea, but nothing happened. 

Then since my account had photos of me, I took a video selfie of myself to confirm that I’m a real person to confirm my identity. Nada.

I would have called the Instagram tech support number, except — surprise! — there’s no such thing. After some digging, I was able to send a message directly to Instagram tech support. Instagram doesn’t make it easy to find this. In fact, the Instagram support link is actually a Facebook page. Good going, Meta!

But even after that, it didn’t do me any good. I didn’t hear a peep out of them. 

So, I decided it was time to bring out the big guns. I sent a message as Steven J. Vaughan-Nichols, top technology journalist, to Instagram public relations asking for help and/or an explanation.

That didn’t work.

I guess I’m not that special after all.

So, while I made the first mistake by opening the door to the hack, Instagram gets a lot of the blame for its 2FA system, indeed its entire security support system.

But, hey at least I’m not alone. 

More: A security researcher easily found my passwords and more: How my digital footprints left me surprisingly over-exposed

The Bored Ape Yacht Club, a leading non-fungible tokens (NFT) collective, lost $3 million of NFTs to a hacker using a phishing attack.  Like yours truly, the Bored Ape Yacht Club said, “At the time of the hack, two-factor authentication was enabled and security surrounding the IG account followed best practices.” They also said they were working with Instagram security and they’d report on what happened. That was almost a month ago.

There appears to be a spat of these attacks going on. I’ve seen many reports of small businesses having their Instagram accounts hijacked. 

Several of my friends have reported the same. They also tell me that Instagram has been useless. One of them who works in security public relations reports he reached out to some white hats for advice, but they couldn’t help. Instagram appears to be a security black hole, Users’ complaints go in and nothing comes out. He also had 2FA on and was bombarded by “all kinds of weird texts for confirmation about changing my password. Also got multiple emails from IG about resetting my password. I later got a letter from T-Mobile, my phone provider, about putting a SIM block on my account.” SIM blocks are used to keep your phone’s SIM card from being cloned, a popular way of getting around SMS-based 2FA. He also “filed a police report and had the police contact IG.” After all that, “IG support was useless” and he eventually lost his account. 

Personally, this has been really annoying, but it hasn’t really bothered me that much. I had less than 100 Instagram followers. My hacker appears to be using my former account to send cryptocurrency spam. Anyone who knows me knows I think cryptocurrency is a scam. I’ve spread the word that my account has been hacked, and people should report, unfriend, and block it. 

You’d think all those reports, well over two dozen people have told me they’ve reported it, Instagram might have put two and two together and realized my account had been hacked. Three weeks into this and Instagram still hasn’t bought a clue.

But, it could be worse. Hackers are taking over corporate and influencer Instagram accounts and demanding ransomware payments of up to $40,000. 

But what’s irritating to me is a business killer for others. I’ll shed no tears for the Bored Ape Yacht Club. NFTs are scams too and if you think otherwise I’ll happily sell you an NFT of the Brooklyn Bridge. However, many design shops, videographers, photographers, and marketing people depend on it for their livelihood. 

If Instagram doesn’t step up its security game, it’s time to find another platform for your business. I made, at most, one minor mistake, and lost my account. Instagram, with its pathetic security defenses, could lose your far more valuable account and you’d have no way to restore your account or your followers.

Related Stories:


Source: Information Technologies - zdnet.com

Brazil announces partnership with Elon Musk to connect Amazon rainforest

This malware-spreading PDF uses a sneaky file name to trick the unwary