Instagram account takeover hacks on the rise, ID theft organization says
Report: Four times the usual number of consumer complaints in September
Consumers are reporting a recent rise in Instagram account hack attempts, according to the Identity Theft Resource Center (ITRC). Victims find they are locked out of their accounts, and criminals are using these stolen Instas to set other digital traps. A hijacked account can be used to message followers and friends, for example, or can add legitimacy to a bogus post. The ITRC says it saw four times the number of inquires about Instagram hacks from consumers in September than in a typical month.
Anecdotally, I've seen this too. I'm sensitive to Instagram hacks. When I published the Breach podcast, which examined Russia's role in the famous hack of Yahoo, I received notice that a criminal in St. Petersburg, Russia, was trying to hack into my account. And I have reason to believe one of my accounts has been targeted recently.
The best defense against an Instagram hack is to enable two-factor authentication. It's pretty easy. If you haven't delved into two-factor authentication yet, this warning from the ITRC is a good excuse to set it up. You might think your little account full of baby pictures and flowers is of no use to a hacker, but you're wrong. Hacked Instas fetch $45 each on the dark Web, says the IRTC, citing a Digital Shadows report. They can be used for all kinds of mischief, so you really should protect your account now. Even if you don't use it often.
And if you use Instagram to market a business or even a serious hobby, this warning deserves even more attention.
There's good news on the two-factor authentication front. A few years ago, I wrote several stories pointing out that many users couldn't be bothered with it. But according to Duo Security, which provides authentication software, two-factor use is surging. In a survey, the firm found 79 percent of users said they have used 2FA, up from 53 percent in 2019.
It's important to note that not all two-factor protection is the same. Text-message-based security checks are certainly better than nothing, but criminals have tools to outfox that method. They intercept the texts, or they trick recipients into divulging them -- that's why many security texts now say clearly "DO NOT SHARE THIS CODE WITH ANYONE." An authentication app is far superior, like Google Authenticator, and I find them easier to use anyway.
In a similar way, criminals are also creating fake double accounts -- common on Facebook -- in an attempt to trick users into following the imposter account. It's pretty easy to steal a profile picture and some other images and set up a new account that mimics a legitimate one. The victim often doesn't find out what's happening until warned by friends.
If you've already been a victim of an Instagram account takeover, the Identity Theft Resource Center has an excellent roundup of recovery steps. I've republished them below, but visit the organization's site for more.
Check your email account for a message from Instagram. If you received an email from security@mail.instagram.com that says your email address was changed, you might be able to undo this change by selecting “revert this change” in that message. If additional information was also changed (like your password), and you’re unable to change back your email address, request a login link or security code from Instagram.
Request a login link from Instagram. To help Instagram confirm that you own the account, you can request that they send a login link to your email address or phone number. To request a login link:
On the login screen, tap “Get help logging in” (Android) or “Forgot password” (iPhone).
Enter the username, email address or phone number associated with your account, then tap “Next.” If you don’t know the username, email address or phone number associated with your account, tap “Need more help?” below the “Next” button and follow the on-screen instructions.
Select either your email address or phone number, then tap “Send Login Link.”
Click the login link in your email or a text message (SMS) and follow the on-screen instructions.
Request a security code or support from Instagram. If you’re unable to recover your account with the login link sent to you, you may be able to request support for your hacked Instagram account. For more information on how to do this, visit Instagram’s Help Center for step-by-step instructions.
I've recently learned of Token-based authentication and I'm wondering if it's worth pursuing or if the two factor is good enough.