Selena Gomez – please tell your 125 million fans to enable two-step verification

If I called this article “Justin Bieber nude photos” nobody would click on it.

Graham Cluley
Graham Cluley
@[email protected]

Selena Gomez - please tell your 125 million fans to enable two-step verification

If you’re worried about escalating international tensions as North Korea blasts missiles over northern Japan, let me tell you something else that will make you worry about the future of mankind:

Selena Gomez has 125 million followers on Instagram.

I discovered that fact this weekend, as I heard that hackers had seized control of the American singer and actress’s Instagram account and posted revealing snaps of her ex-boyfriend Justin Bieber.

Sign up to our free newsletter.
Security news, advice, and tips.

When I say “revealing” I mean the full caboodle. Bieber’s Big Lebowski was on show for all to see.

To save both Bieber’s modesty and your own innocence, I have subtly censored the image of the hacked account below.

Justin Bieber's little fella

I have no idea if Bieber is happy with his ankle spanker being on show to the world or not, but reports indicate that the paparazzi images of Bieber’s little fella have surfaced publicly before in the tabloid press.

What I *do* have a clue about, however, is that clearly Selena Gomez or her management have been sloppy with the star’s online security.

Enabling two-step verification (2SV) adds an additional level of security to your online accounts which goes beyond your normal password. If you turn on 2SV on your Instagram account (and countless other accounts), you will be prompted to enter a security code generated by an app on your smartphone when you try to log into your account.

That means that even if a hacker has managed to steal or work out your password, it won’t be enough to access your account as they don’t (hopefully) also have access to your smartphone.

You would like to think that Selena Gomez would know a thing or two about protecting her social media accounts. Five years ago a British hacker was jailed after hacking into Gomez’s Facebook account and accessing her private messages.

With 125 million followers on Instagram, Selena Gomez could do a lot of good sharing advice with fans about how they could better defend their online accounts.

That, unfortunately hasn’t happened (at least not yet). For now, Gomez has deactivated her Instagram account.

For further discussion on this story, make sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #040: 'The show that cost Troy Hunt 14 dollars'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Read more about two-step verification:

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “Selena Gomez – please tell your 125 million fans to enable two-step verification”

  1. Brian Leeming

    125 million or 250 million, Graham? But I love your site in any case.

    1. Graham CluleyGraham Cluley · in reply to Brian Leeming

      Whoops! Thanks Brian, now fixed. :)

  2. Michael Ponzani

    "Ankle spanker?", I love it. I wish I had one of those. Mine's far to short to fit the description. I did see some clips from the Phillipeans where some dude had about two and a half feet.

  3. Jay

    Graham, perhaps it wasn't necessarily 2FA not being set up. Is there a possibility some hacker could have social engineered her mobile phone provider to steal her SIM and then confirmed 2FA that way?

    1. Graham CluleyGraham Cluley · in reply to Jay

      It's a *possibility* but I would suggest considerably less likely.

      I do prefer it when online services give users the option of two-step verification via an authenticator app (Google Authenticator is perhaps the best known, but there are alternatives) rather than sending a code via SMS.

      I know there are a lot of folks who hate the idea of 2FA via SMS because of the potential of a bad guy cloning your phone and receiving the code, but I do believe for most of us that's a lot less of a risk than not having 2FA enabled at all.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.