Instagram has confirmed a hacking attack that targeted several high-profile users of the photo sharing application.
On 30 August, Instagram revealed in a statement provided to Variety that attackers had attempted to steal several well-known users’ account information:
“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information – specifically email address and phone number — by exploiting a bug in an Instagram API.”
The selfie-sharing platform told The New York Daily News that it believes only one attacker exploited a glitch in its application programming interface.
In doing so, the unauthorized party likely obtained code that allowed them to reveal targeted users’ data and thereby gain access to their accounts. This could explain what happened to Selena Gomez’s Instagram account earlier in the week.
Since discovering the attack, Instagram has fixed the bug. But it’s still warning users to watch out for potential threats:
“Our main concern is for the safety and security of our community. As always, we encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails.”
All Instagram users, especially those contacted by the photo-sharing platform as part of this attack, should protect their accounts with a strong, unique password. They should also consider enabling two-step verification (2SV) on their mobile phones. Doing so will help secure their accounts against unauthorized logins.
The key word in that last statement is help.
You see, Instagram’s 2SV mechanism doesn’t allow for third-party apps like Google Authenticator. It uses only SMS-based text messages.
Unfortunately, if an attacker obtains a user’s phone number, they can try to conduct a social engineering attack against the corresponding mobile carrier and convince a representative to transfer the number to a device under their control. If they succeed, there’s no telling what damage they could cause.
Privacy expert Jesse Irwin provides CNN with a taste:
“With an email address and a telephone number, it’s not difficult to cross reference information online to find out more about a target, even a celebrity. Because most accounts rely on phone numbers as a backup to get into an account or to grant access with a second factor, it would not be difficult for a criminal to break into an email account or to access phone backups, which are full of important information.”
Acknowledging those threats, it’s a good idea for anyone with a mobile plan to create an authorization PIN with their mobile carrier. Someone will need to supply this code whenever they call a user’s mobile carrier and attempt to make changes to their account. For added protection, users can consider instituting a SIM lock.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.