News & Comment: Instagram users are reporting the same bizarre hack

COMMENT:

Paul Bischoff, privacy advocate at Comparitech.com:

“There’s not much to go on now, and Instagram has not stated how or why these attacks occurred. While it is possible that hackers breached Instagram to take over these accounts, I think it is more likely that the victims’ login credentials were stolen by malware or compromised in a phishing attempt. The original report (Mashable) does not specify whether victims are Android or iOS users, which would have helped to pinpoint the cause.

Although no one seems to know for sure, I assume the hacked accounts were intended to be used as spam bots. Even if some victims regain control of their accounts, many of those affected have likely quit the platform or just won’t go through the trouble, adding soldiers to the spam bot army.

Although one user claims his account was taken over despite having two-factor authentication enabled, I would recommend all Instagram users enable it anyway. Two-factor authentication can go a long way in protecting your data and information, not just on Instagram, but on any online account where it is available.”

Lee Munson, security researcher at Comparitech.com:

“While 2FA is a very good secondary line of defence, it is not infallible. Typically, it can be circumvented via phishing – either tricking someone into revealing the 2FA identifier or, far more likely, my getting them to login to a fake version of the site they were intending to visit.

“Having a hacked account associated with a Russian email address may well signify that the attacker is a resident of that country, but it is certainly not a foregone conclusion – email addresses are easily spoofed, either to conceal identity or to encourage finger pointing toward the wrong place.

“To protect against such account hijacks on Instagram, people should definitely employ two factor authentication but they should also be careful to only access the site through the app (only downloaded from an official app store) or by typing the URL directly into their browser.”