Hackers are taking over high-profile Instagram users’ accounts and holding them to ransom, it was revealed this week. At least four influencers have lost control of their accounts and received demands to send bitcoin for their return, but in some cases the attackers retained control or deleted the accounts.
Motherboard reported that Los Angeles-based fitness Instagram influencer, Kevin Kreider, lost control of his Instagram account and more than 100,000 followers after falling victim to a phishing scam. The account hijackers sent him a fraudulent email offering a sponsorship deal with French Connection that took him to a fake Instagram portal which then stole his account details.
Cassie Gallegos-Moore, who used the Instagram handle theadventurebitch, blogged about losing her account to hackers who changed the email used to access it. They temporarily blocked the account and demanded a ransom, threatening to delete the account entirely within three hours if she did not pay. Gallegos-Moore, who had 57,000 users on her account, sent them $122 in bitcoin.
While Kreider eventually managed to regain control of his account, Gallegos-Moore was still without hers at the time of writing. Instead, she renamed a backup account to her original adventurebitch handle, but had fewer than 100 followers at last count. She lambasted Instagram for its approach to the hack.
While it isn’t clear how she lost her account, Instagram account hacking has become commonplace.
In August, the company blogged in response to reports that hundreds of accounts were being hacked. One piece of advice in that blog post may offer a clue:
Our current two-factor authentication allows people to secure their account via text, and we’re working on additional two-factor functionality with more to share soon.
SMS-based two-factor authentication (2FA) renders the user vulnerable to an attack known as SIM swapping, in which hackers socially engineer cellular carrier employees to switch a cellphone’s number to a new SIM. This enables attackers to access the SMS texts used in 2FA authentication and gain access to the account. NIST deprecated SMS texts as a form of 2FA in 2016.
Celebrity Instagram hacks have happened before. Selena Gomez, who had 125m followers at the time, had her account hijacked in August 2017, and someone with far too much time on their hands posted naked pictures of her ex-boyfriend Justin Bieber on it.
A couple of days later, Instagram confirmed that hackers had stolen personal information from high-profile user accounts by exploiting a bug in its system that exposed telephone numbers.
Hackers had already exploited the bug to harvest personal information on up to six million Instagram accounts, revealed the Daily Beast. They created a database of the information, which included all the Instagram accounts with over a million followers, and charged $10 per search.
Use app-based authentication to secure your account
Many people invest so much time and effort in their social media accounts that these hacks can affect their online brand and their ability to generate revenue. With attacks like phishing and SIM swapping now rife, enhanced protections are more important than ever.
Instagram announced an improvement on its SMS-based 2FA with enhanced security with support for mobile app-based authentication earlier this year,
Here’s how to set up your Instagram account to use a third-party authenticator app:
- Go to your profile.
- Tap the Menu icon.
- Select
Settings. - Choose
Two-Factor Authentication. - Select
Authentication App. - If you’ve already installed an authentication app, Instagram will automatically find it and send it a login code. In that case…
- Go to the app, retrieve the code, and enter it on Instagram. That will automatically turn on 2FA.
- If you haven’t already installed an authentication app, Instagram will shuffle you on over to Apple’s App Store or Google Play to download the app of your choosing (Sophos has you covered here: consider downloading Sophos Authenticator which is also included in our free Sophos Mobile Security for Android and iOS). Once you’ve installed your chosen authenticator, return to Instagram to continue setting up 2FA.
Twitter added support for FIDO Universal 2nd Factor (U2F) security keys this summer, and Facebook also supports mobile authentication apps.
Instagram obviously has a very broken identity management system if victims consider paying a ransom rather than turning to Instagram for assistance. A month or two ago professional racer Jordan Taylor (IMSA WeatherTech Series) put out a plea on Twitter to all his followers to send a note to Instagram to assist Jordan in retrieving his Instagram account, which had been taken over by hackers who were posting salacious pictures on it. He had a few funny posts hinting at his frustration trying to get their attention to help him recover the account.
[URL removed]