How to hack instagram account on pc
What happens with a hacked Instagram account – and how to recover it
Had your Instagram account stolen? Don’t panic – here’s how to get your account back and how to avoid getting hacked (again)
A friend – let’s call her Ellie – recently called me with a devastated tone in her voice. Her Instagram account had been hacked and she was locked out. Her panic was evident as she told me her password had been changed and that the hackers had added two-factor authentication (2FA) to the account.
She went on to ask me if I knew of any tips to regain control. I had heard of both good and bad outcomes in similar situations, online, but I had never attempted it first-hand. If I’m honest, I was actually a little excited at the opportunity to test Instagram’s recovery methods to see if I could learn anything.
Ellie is quite computer savvy and understands technology; however, she is also very busy with her small business and young children. As a result, she has simply “put off” adding extra security layers to her social media and email accounts. At any rate, when she called, I refrained from “I told you so!” and asked her what had happened.
How things went wrong
Ellie’s first mistake was that she had used a relatively simple password on the account and had reused it on other accounts, so this password was either compromised or attacked via brute force to gain illicit entry.
Her second mistake was that her account was not to set up 2FA, which is free and easy to implement in all social media and email accounts. With this turned on, the hackers would have simply been turned away – even with entering the right password or clicking on the “forgotten password” link (a hacker’s favorite starting block!).
Once into her account, they started the process of locking Ellie out by changing the password, adding 2FA to a Nigerian phone number and a different email address. Also, they added an authenticator app. Additionally, they even added some numbers to the end of the Instagram username, which, at first, I could not work out why. This is presumably done so Ellie would not simply be able to regain control from her phone, should she get that far.
Once they had locked Ellie out, they started the next level of sideways attacks by sending messages to her Instagram friends, presumably to target their accounts and get their 2FA codes and multiply the hack. Luckily, no one else divulged the code but a few were immediately taken in by the messages.
The long road to (account) recovery
When Ellie tried to recover her account, she felt like she was at a dead end – even after following the steps on the Instagram help site, she felt stuck. When she requested a login link from Instagram to be sent to her primary email address, nothing genuine came through even though she could still access this account. (You will, of course, need access to the email address connected to your account. If for any reason you cannot access this email account, Instagram will not let you regain access to your Instagram profile. ]
I had remembered that hackers can often get into the associated emails via the same reused passcode, and then hide or block recovery emails sent from Instagram regarding the hacked accounts.
To my (relative) shock, this was exactly what had happened. In her Yahoo account, she clicked on the “Blocked List” and three email addresses ending in mail.instagram.com had been blocked.
Once unblocked, she followed the process again and Instagram sent another login link. She was then asked to submit a video selfie to help verify her identity (this was only possible as she has photos of herself on the account).
RELATED READING: Attack of the Instagram clones
Within 20 minutes, she received an email saying that she had now been granted access back into the account and given a small number of one-time recovery codes to use. We both thought we were on the road to victory!
But it was short-lived.
Although Ellie did regain access to the account by following the genuine link and typing in a backup code, the strangest thing is that she was instantly booted straight back out on entry. She retried this process five more times and this frustrating cycle reoccurred. She panicked, as she was only given six backup codes to use. To get more codes, she had to prove her identity again via the video selfie process … which did not work the next time, but after another attempt she passed and was given six more codes.
Interestingly, however, Ellie’s email address started receiving emails purporting to be from Instagram but the grammar errors and strange requests for security codes looked phishy and, luckily, she ignored them. Presumably they could have locked her out of this account, but they wanted to keep her in to potentially hand over the One Time Passcodes (OTPs).
I wondered if there could be a problem with her geo- or network location, or device, potentially banning her from entering the account, so I asked her to send the recovery email to my email address for me to try from my laptop at a location five miles away.
I attempted the process on my laptop and much to her disbelief, I got in straight away and stayed in! Success! Ellie was overjoyed, but before I took a moment to work out why this attempt had worked, I decided to secure the account once and for all.
I turned off the newly assigned 2FA app and the Nigerian phone number the hackers had changed it to; then, I changed the associated phone number to Ellie’s and then turned 2FA back on. I went on to change the password and used a 2FA code sent to her phone via SMS to prove she was now the secure owner of the account.
Another thing the bad guys did was change Ellie’s username. This is presumably because when you log back into Instagram from your phone after logging out, it locks the login screen to the previous username and not an email address, making re-entry very tough unless it is still the original username tied to the app. To get Ellie back in, I had to change it back to her original username.
While in her account, I visited her “Login Activity” and it asked me if my current login location was “me”. I clicked “yes” and it stored this location.
My presumption on how she was instantly being booted out of the account is one of two possibilities. Firstly, they had potentially looked at recent login activity and struck off those locations, making Instagram think her home Wi-Fi was in fact a hacker’s location.
Or secondly, the hackers were still in the account and every time Ellie attempted to use the backup codes, they were notified and used their associated 2FA to change the password once again before she could press on any further. Either way, using another IP address from a laptop and navigating the site quickly worked.
Once she was back in, Ellie had a lot of replying to do with all the messaging that the hackers had done.
Fascinatingly, anyone who replied stating they thought Ellie’s account had been hacked, or mentioned on their own stories that Ellie’s account had been hacked, had been blocked by the hackers too!
Luckily, the whole process only took three days but it definitely felt longer for Ellie. She is back in now and after nearly giving up, she mentioned that she has learnt about account protection the hard way. And I will leave it in her words: “I wish I had followed this simple security advice beforehand”.
Recovery process on a compromised Instagram account
- Head to your email account and make sure any email addresses from Instagram do not feature in your blocked list.
- Visit Instagram’s Password Reset page for a login link.
- Follow the on-screen prompts to this Help page and submit a support request to verify your identity. You will be asked to record a video selfie, but the next step will only work if your account already contains photos of you. The recovery link will be sent to your original email address.
- If this does not work, try it again until it verifies you.
- When successful, you will receive an eight-digit code that will be required after clicking on the link sent from Instagram.
- Log into the account on a computer using an IP address not used before with the account.
- Once in, immediately revoke any wrong 2FA implementation.
- Change the password to something strong and unique and not related to you.
- Change the phone number back to yours.
- Turn 2FA back on.
- Consider using a 2FA authenticator app instead of SMS-based 2FA.
- Change the username back on the laptop before re-entering from your phone.
- Finally, check your blocked list in your Instagram account. The hackers may have placed some close friends of yours in there.
Prevention tips for securing an Instagram account
- Use a strong and unique password on Instagram and never reuse it anywhere else.
- Turn on 2FA, both on your Instagram account and on your email account.
- Watch out for phishing emails purporting to be from Instagram.
- Beware of any Instagram messages that start with something like, “Hi, I need your help”, and call your contact to make them aware of the potential compromise.
- Have at least one photo of your face on your account so the video selfie process will work if needed.
Newsletter
How any Instagram account could be hacked in less than 10 minutes
Graham CLULEY
July 15, 2019
Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
A security researcher has been awarded $30,000 after discovering a serious vulnerability that could potentially have put any Instagram account at risk of being hacked.
Following a recent increase in rewards offered for the discovery of critical account takeover vulnerabilities in Facebook and Instagram, Indian security researcher Laxman Muthiyah chose to take a close look at the photo-sharing service.
As he describes in a blog post, Muthiyah explored whether there might be a vulnerability in how Instagram handled password reset requests for users who have forgotten their login credentials.
Mutiyah found that when users asked for a password reset via Instagram’s web interface, the site would email a reset link to the user’s email account.
After a few minutes of testing Mutiyah couldn’t find any bugs, and so turned his attention instead to how smartphone users recover access to their Instagram accounts.
What Mutiyah found was that Instagram offered the option for users locked out of their accounts to request that a six-digit secret security code be sent to their mobile phone number or email account. If that passcode is entered, a user can regain access to their Instagram account.
In theory, if a hacker could enter the six-digit security code they would be able to break into the Instagram account (and reset the password locking out the legitimate owner.)
Now, that passcode could potentially be stolen if a hacker had somehow managed to gain access to their target’s email account, or had hijacked control of their victim’s mobile phone number via a SIM swap scam. But Mutiyah wondered if there might be another way to break into accounts if neither of those options were available.
Mutiyah realised that all a hacker would need to do was enter the correct six digit code – a code that could be any combination between 000000 and 999999 – within the ten minute window Instagram would accept the code before expiring it.
Up to one million numbers to be entered within ten minutes, in order to change an Instagram account’s password.
Of course, the likes of Facebook and Instagram aren’t going to simply sit quietly as an automated script tries a brute force attack to guess the correct security code. Instead they have rate-limiting in place to detect when multiple attempts have been made to get past the security check and slow down subsequent attempts – meaning the ten minute window of opportunity expires.
In Mutiyah’s tests he discovered that when he cycled through 1000 attempts to guess an Instagram account’s security codes, 250 of them went through and the subsequent 750 requests were rate limited.
However, after a few days of testing the researcher was able to discover that Instagram’s rate limiting mechanism could be bypassed by rotating IP addresses (in other words, not using the same computer to brute force the recovery code) and sending concurrently from different IP addresses:
“Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited. The number of requests we can send is dependent on concurrency of reqs and the number of IPs we use. Also, I realized that the code expires in 10 minutes, it makes the attack even harder, therefore we need 1000s of IPs to perform the attack. ”
Mutiyah says that he used 1000 different machines and IPs to achieve easy concurrency, and sent 200,000 requests in his tests. He shared a YouTube video with Facebook and Instagram’s security team to demonstrate the attack in action:
Of course, 200,000 requests isn’t quite the million requests that would be necessary to guarantee the correct recovery passcode would be entered to allow an Instagram account to be hijacked.
Mutiyah’s investigation concludes that in a real attack, 5000 IP addresses would be needed to hack an Instagram account. Although that sounds like a large number, it can actually be easily achieved at a low price (Mutiyah says there would be approximately US $150 cost if a cloud provider like Google or Amazon was used).
All Instagram users should be grateful that Laxman Muthiyah chose to responsibly disclose the security vulnerability to Instagram’s security team rather than monetize his discovery by selling it to online criminals.
It’s easy to imagine that a technique like this would be very attractive to many hackers interested in compromising Instagram accounts, and they might be prepared to pay much more than the $30,000 Muthiyah received in the form of a bug bounty.
All internet users are reminded to better secure their online accounts with strong, unique passwords and to enable two-factor authentication wherever possible.
What to do if someone tries to access your Facebook or Instagram
A notification pops up on the smartphone screen: "We detected an unusual login attempt from Rio de Janeiro, Brazil." The first reaction is panic, especially if you live in, say, Vladivostok. What could it be? System failure? Or is someone from the other side of the world really encroaching on your account?
There is no way to panic in such a situation - this will only play into the hands of the burglars. So that you can remain calm and survive this incident with minimal losses, we will arm you with knowledge: we tell you what the matter might be and how to act.
What could have happened
First, let's figure out how a stranger could gain access to your account at all. There are several options here.
Data leak and wildcard attack
A third party site where you registered might have been leaked. Having acquired a list of logins, e-mail addresses and passwords, scammers use them for a substitution attack, that is, they try to enter stolen credentials on many sites. Unfortunately, many people set the same passwords to protect their accounts in different services - this is what criminals are counting on.
Alternatively, your Facebook or Instagram credentials may have been leaked from the app you trusted them to. For example, in June last year, thousands of passwords from Instagram accounts leaked to the network, the owners of which used the Social Captain service to buy likes and followers. It turned out that he did not encrypt customer data, and anyone could get access to it. It is reasonable to assume that many users of the service have since experienced hacking attempts.
Phishing
It may also be that some time ago you fell for phishing, and your login with a password fell into the hands of scammers directly. They clicked on some link, and on the page that opened, very similar to the Facebook or Instagram login screen, they entered their credentials. So they ended up with the criminal. For example, most recently, our experts discovered a phishing campaign in which victims were lured to phishing pages by the threat of blocking their Facebook account due to copyright infringement.
Password theft
Your password may have been stolen by malware you picked up somewhere. Many Trojans have a built-in keylogger, a program that registers keystrokes on the keyboard. All logins and passwords that the victim enters, the keylogger directly passes into the hands of attackers.
Access token stolen
Someone may have stolen your access token. So that you don't have to enter a password every time you log into Facebook or Instagram, it saves a small piece of information needed to log in to your computer, which is called a token or access token. If an attacker steals the current token, he will be able to log into the account without a username and password.
Tokens can be stolen in different ways. Sometimes this is done through vulnerabilities in Facebook itself - for example, in 2018, attackers were able to get access tokens to 50 million Facebook accounts. Also, attackers can use browser extensions to steal tokens.
Login from someone else's device
It's possible that you logged into Facebook or Instagram from someone else's device - at a party, in an Internet cafe, in a hotel lobby, and so on - and did not log out after that. Or, for example, they forgot to log out of their account on a device that they had already sold or donated. Now someone has discovered your oversight and logged into your account.
False alarm (phishing again)
Your account may not have been hacked at all, but they are trying with a fake suspicious login notification. This is the same phishing that we talked about above, but a slightly different version of it. Instead of the threat of blocking, scammers can use fake suspicious login notifications with a link to phishing sites similar to the login page. Attackers expect that the victim in a panic will go to a fake site and enter their username and password there.
And what to do?
We have sorted out the possible causes, now it's time to act. To get started, log into your account - but in any case not through the link from the notification (as we already know, it can lead to a phishing site), but through the mobile application or by entering the address in the browser manually. If the password does not match and you can no longer log into your account, refer to the detailed instructions on what to do if your account has already been hijacked, which we published earlier.
If you are still allowed into your account, go to your account settings and verify the authenticity of the notification. For each social network, the path to the desired settings item will be different - see how this is done on Facebook and Instagram. Then go to the “Account Logins” section: if there are no suspicious entries there, then everything is in order, and the message about the hack was still phishing.
If you really see a suspicious one in the list of logins to your account, then it's time to hurry up to take protective measures - timely actions will help soften the blow:
- Log out of your account on all devices. On Instagram, you will have to manually end each session in menu Account Logins . And on Facebook, this can be done with a single click in the Security and login section in the settings. This will reset the access tokens.
- Make sure that the correct phone number and email address are specified in the account settings: attackers could change the data so that the link or code to change the password is sent to them. If they managed to do this, change it back to yours.
- Set a new password that is strong and one that you don't use anywhere else. If you're not sure you can remember it, save it in a password manager. By the way, at the same time the program will help you come up with a reliable combination.
- Turn on two-factor authentication to make it harder for attackers to break into your accounts, even if they know your password.
- After that, be sure to check all your devices with a reliable antivirus to make sure that they are free of malware. Attention to security settings along with good protection will make your account your fortress.
Tips
Air sellers in online stores
We tell how scammers deceive users of a well-known marketplace using a fake product payment page.
Subscribe to our weekly newsletter
- Email*
- *
- I agree to provide my email address to AO Kaspersky Lab in order to receive notifications of new publications on the site. I can withdraw my consent at any time by clicking on the "unsubscribe" button at the end of any of the emails sent to me for the above reasons.
A hacker hacked Instagram in 10 minutes and got $30,000.
Cybersecurity expert Laxman Mutiya found a way to hack any Instagram account in ten minutes - he announced this on his blog. According to Mutiiya, the vulnerability was in a password recovery system where a one-time numeric code is sent to a user to verify their identity.
Information security researcher Laxman Mutiya told on his blog how he managed to hack Instagram in 10 minutes. While Facebook, which owns the photo hosting, is constantly trying to improve security and prevent outside interference, Mutiya's example proves that this problem can be worked on indefinitely.
An expert discovered a vulnerability in the password recovery system for his Instagram account. The fact is that when a user enters his phone number to resume access to the profile, Instagram sends him a six-digit numeric code that must be entered to verify his identity.
Laxman Mutiya decided that if he could try a million different codes at this stage, then one would definitely work, which would lead to a password change on any Instagram account.
Nevertheless, the expert rightly decided that the photo service would most likely have protection against such a blunt attack.
Indeed, Instagram has limited the number of shift requests a user can send. Then, by calculation, Mutiya determined that for a successful hack, he would need 5 thousand IP addresses, each of which would send 200 thousand requests. According to the hacker, this is not so difficult to implement if you use the Google or Amazon cloud service. In this case, the entire attack will cost the attacker $150.
Laxman Mutiya sent his research to the Facebook administration, which was convinced of the insecurity of the existing system. As follows from a letter sent by the leadership of the social network, the vulnerability in Instagram was eliminated, and Mutiya himself received $30,000 as a "bug bounty" - compensation for identified shortcomings.
The expert also gave some advice to those who use Instagram to protect themselves and their data.
He recommends changing your password regularly, using only unique and varied combinations, and be sure to use two-factor identification so that any manipulations with the account are made only with the user's approval.
In May of this year, it became known about the massive leak of personal information of bloggers and celebrities from Instagram - in total, about 50 million people suffered from it. A database containing the data of millions of Instagram stars using popular photo hosting has been discovered on the Internet, TechCrunch reported. This database, located in the public cloud of Amazon Web Services, was in the public domain and was available to everyone.
As it turned out, each of the entries contained personal data of Instagram bloggers and influencers, including their biography, profile photo, number of followers, geolocation, as well as email and mobile phone number.