Home » Misc » How to hack instagram users

How to hack instagram users


How to Hack Instagram: 5 Common Vulnerabilities

Instagram is a free and popular photo-sharing social media platform that allows you to share photos and videos with your friends and family members. As with any other popular social media platform, there is an increased interest by cybercriminals to hack Instagram accounts. This article will talk about the five common methods and what you can do to prevent cybercriminals from hacking Instagram accounts.

Instagram Hacks and Vulnerabilities:
  1. Weak Passwords
  2. Remote Keyloggers
  3. Phishing Emails
  4. Zero Day Vulnerability
  5. Mobile Operating System Vulnerabilities

Check out this related video below.

1. Weak Passwords

Hackers can easily hack Instagram accounts if the passwords are easy and are commonly used such as a nickname, phone number, partner’s name, pet name, just to name a few. The hacker could perform a brute force attack to obtain your password and once they do, they can do whatever they want with your account.

How to Protect Against Weak Passwords?

Users should make sure that they select a strong password with a combination of numbers, symbols, space bar, and lower and uppercase letters. They should make sure that the password for their Instagram account is unique and not the same password used for other email or social media accounts.

This would reduce the risk of your account being compromised. A usual site to verify that your accounts are safe is HaveIBeenPwned. Here you can see if your credentials have been leaked to the public.

2. Remote Keyloggers

A remote keylogger is a “piece of software that records whatever you type on your mobile device or computer and sends it to the person who installed it'' (The Zero Hack). Once a keylogger is installed, anything that is typed (password, login credentials, bank information, etc.) will be recorded and can be viewed by the hacker. This is a secretive method for a hacker to hack Instagram accounts. 

How to Protect Against Remote Keyloggers

  1. Do not use third party keyboard apps 
  2. Do not open any attachments or click on links in the email message as the keylogger may be embedded in the attachment
  3. Install anti-spyware applications to help detect, disable, quarantine software-based keyboard loggers (Norton)

3. Phishing Emails

An attacker sends an email pretending to be from Instagram and advises you to click on a link to reset your password or to fill out some survey. Regardless of the content of the email, as soon as you click on the link and enter any credentials, the attacker has your personal information and successfully gains control of your Instagram account.  

In 2019, a hacking group stole identities of high profiles by sending phishing emails to these accounts stating that they may be eligible to receive the Verified badge on their Instagram profile. The email provides a link asking the user to verify their Instagram account by entering their credentials (see screenshot below).

The attacker successfully gained the credentials of the high-profile accounts and tricked users into thinking they are verified. This is another method to hack Instagram accounts.

How to Protect Against Phishing Attacks?

  1. Users should be educated and informed on the characteristics of phishing emails in order to keep an eye out for them. Here are what you can do:
  2. Do not click on any links or open any attachments from a suspicious email
  3. Do not enter personal information from a pop-up screen (note: legit companies would never ask for personal information via a pop-up screen 
  4. Keep an eye out for misspellings in the contents of the email

4. Zero Day Vulnerability 

A zero day vulnerability is a “software security flaw that is known to the software vendor but doesn’t have a patch in place to fix the flaw” and may be exploited by hackers (Norton). If a hacker finds a zero day vulnerability on Instagram, there could be some serious security risks for Instagram users and their accounts. Since it is an undiscovered vulnerability that has not been publicly announced yet, this gives the hackers an advantage. 

How to Protect against a Zero Day Vulnerability?

  1. There is no way to completely avoid zero day vulnerabilities, but you can take the necessary security precautions to prevent attackers from hacking Instagram. These are just a few:
  2. Make sure that you are using the latest version of Instagram 
  3. Enable two factor authentication 

5. Mobile Operating System Vulnerabilities

If there are vulnerabilities on the mobile operating system then hackers can not only hack into the phones themself, but they can also hack Instagram. Most of the exploited vulnerabilities may come from zero day vulnerabilities.  

How to Protect against Operating System Vulnerabilities

  1. Make sure to upgrade your operating system when an update is available 
  2. Do not install applications from unknown sources and only from trusted sources on the app store.

Final Thoughts on Instagram Hacks and How to Prevent Them

These are the five common methods on how to hack Instagram and how to protect against each method to prevent your Instagram account from being hacked. I am sure that there are many other techniques that hackers can use to hack Instagram accounts.

Hackers are always one step ahead in finding new techniques where prevention might not be possible at first. Therefore, you should make sure that you do everything you can to ensure that your account is secure.

How any Instagram account could be hacked in less than 10 minutes

Graham CLULEY

July 15, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial

A security researcher has been awarded $30,000 after discovering a serious vulnerability that could potentially have put any Instagram account at risk of being hacked.

Following a recent increase in rewards offered for the discovery of critical account takeover vulnerabilities in Facebook and Instagram, Indian security researcher Laxman Muthiyah chose to take a close look at the photo-sharing service.

As he describes in a blog post, Muthiyah explored whether there might be a vulnerability in how Instagram handled password reset requests for users who have forgotten their login credentials.

Mutiyah found that when users asked for a password reset via Instagram’s web interface, the site would email a reset link to the user’s email account.

After a few minutes of testing Mutiyah couldn’t find any bugs, and so turned his attention instead to how smartphone users recover access to their Instagram accounts.

What Mutiyah found was that Instagram offered the option for users locked out of their accounts to request that a six-digit secret security code be sent to their mobile phone number or email account. If that passcode is entered, a user can regain access to their Instagram account.

In theory, if a hacker could enter the six-digit security code they would be able to break into the Instagram account (and reset the password locking out the legitimate owner.)

Now, that passcode could potentially be stolen if a hacker had somehow managed to gain access to their target’s email account, or had hijacked control of their victim’s mobile phone number via a SIM swap scam. But Mutiyah wondered if there might be another way to break into accounts if neither of those options were available.

Mutiyah realised that all a hacker would need to do was enter the correct six digit code – a code that could be any combination between 000000 and 999999 – within the ten minute window Instagram would accept the code before expiring it.

Up to one million numbers to be entered within ten minutes, in order to change an Instagram account’s password.

Of course, the likes of Facebook and Instagram aren’t going to simply sit quietly as an automated script tries a brute force attack to guess the correct security code. Instead they have rate-limiting in place to detect when multiple attempts have been made to get past the security check and slow down subsequent attempts – meaning the ten minute window of opportunity expires.

In Mutiyah’s tests he discovered that when he cycled through 1000 attempts to guess an Instagram account’s security codes, 250 of them went through and the subsequent 750 requests were rate limited.

However, after a few days of testing the researcher was able to discover that Instagram’s rate limiting mechanism could be bypassed by rotating IP addresses (in other words, not using the same computer to brute force the recovery code) and sending concurrently from different IP addresses:

“Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited. The number of requests we can send is dependent on concurrency of reqs and the number of IPs we use. Also, I realized that the code expires in 10 minutes, it makes the attack even harder, therefore we need 1000s of IPs to perform the attack.”

Mutiyah says that he used 1000 different machines and IPs to achieve easy concurrency, and sent 200,000 requests in his tests. He shared a YouTube video with Facebook and Instagram’s security team to demonstrate the attack in action:

Of course, 200,000 requests isn’t quite the million requests that would be necessary to guarantee the correct recovery passcode would be entered to allow an Instagram account to be hijacked.

Mutiyah’s investigation concludes that in a real attack, 5000 IP addresses would be needed to hack an Instagram account. Although that sounds like a large number, it can actually be easily achieved at a low price (Mutiyah says there would be approximately US $150 cost if a cloud provider like Google or Amazon was used).

All Instagram users should be grateful that Laxman Muthiyah chose to responsibly disclose the security vulnerability to Instagram’s security team rather than monetize his discovery by selling it to online criminals.

It’s easy to imagine that a technique like this would be very attractive to many hackers interested in compromising Instagram accounts, and they might be prepared to pay much more than the $30,000 Muthiyah received in the form of a bug bounty.

All internet users are reminded to better secure their online accounts with strong, unique passwords and to enable two-factor authentication wherever possible.

What to do if someone tries to access your Facebook or Instagram

A notification pops up on the smartphone screen: "We detected an unusual login attempt from Rio de Janeiro, Brazil. " The first reaction is panic, especially if you live in, say, Vladivostok. What could it be? System failure? Or is someone from the other side of the world really encroaching on your account?

There is no way to panic in such a situation - this will only play into the hands of the burglars. So that you can remain calm and survive this incident with minimal losses, we will arm you with knowledge: we tell you what the matter might be and how to act.

What could have happened

First, let's figure out how a stranger could gain access to your account at all. There are several options here.

Data leak and wildcard attack

A third party site where you registered might have been leaked. Having acquired a list of logins, e-mail addresses and passwords, scammers use them for a substitution attack, that is, they try to enter stolen credentials on many sites. Unfortunately, many people set the same passwords to protect their accounts in different services - this is what criminals are counting on.

Alternatively, your Facebook or Instagram credentials may have been leaked from the app you trusted them to. For example, in June last year, thousands of passwords from Instagram accounts leaked to the network, the owners of which used the Social Captain service to buy likes and followers. It turned out that he did not encrypt customer data, and anyone could get access to it. It is reasonable to assume that many users of the service have since experienced hacking attempts.

Phishing

It may also be that some time ago you fell for phishing, and your login with a password fell into the hands of scammers directly. They clicked on some link, and on the page that opened, very similar to the Facebook or Instagram login screen, they entered their credentials. So they ended up with the criminal. For example, most recently, our experts discovered a phishing campaign in which victims were lured to phishing pages by the threat of blocking their Facebook account due to copyright infringement.

Password theft

Your password may have been stolen by malware you picked up somewhere. Many Trojans have a built-in keylogger, a program that registers keystrokes on the keyboard. All logins and passwords that the victim enters, the keylogger directly passes into the hands of attackers.

Access token stolen

Someone may have stolen your access token. So that you don't have to enter a password every time you log into Facebook or Instagram, it saves a small piece of information needed to log in to your computer, which is called a token or access token. If an attacker steals the current token, he will be able to log into the account without a username and password.

Tokens can be stolen in different ways. Sometimes this is done through vulnerabilities in Facebook itself - for example, in 2018, attackers were able to get access tokens to 50 million Facebook accounts. Also, attackers can use browser extensions to steal tokens.

Login from someone else's device

It's possible that you logged into Facebook or Instagram from someone else's device - at a party, in an Internet cafe, in a hotel lobby, and so on - and did not log out after that. Or, for example, they forgot to log out of their account on a device that they had already sold or donated. Now someone has discovered your oversight and logged into your account.

False alarm (phishing again)

Your account may not have been hacked at all, but they are trying with a fake suspicious login notification. This is the same phishing that we talked about above, but a slightly different version of it. Instead of the threat of blocking, scammers can use fake suspicious login notifications with a link to phishing sites similar to the login page. Attackers expect that the victim in a panic will go to a fake site and enter their username and password there.

And what to do?

We have sorted out the possible causes, now it's time to act. To get started, log into your account - but in any case not through the link from the notification (as we already know, it can lead to a phishing site), but through the mobile application or by entering the address in the browser manually. If the password does not match and you can no longer log into your account, refer to the detailed instructions on what to do if your account has already been hijacked, which we published earlier.

If you are still allowed into your account, go to your account settings and verify the authenticity of the notification. For each social network, the path to the desired settings item will be different - see how this is done on Facebook and Instagram. Then go to the “Account Logins” section: if there are no suspicious entries there, then everything is in order, and the message about the hack was still phishing.

If you really see a suspicious one in the list of logins to your account, then it's time to hurry up to take protective measures - timely actions will help soften the blow:

  • Log out of your account on all devices. On Instagram, you will have to manually end each session in menu Account Logins . And on Facebook, this can be done with a single click in the Security and login section in the settings. This will reset the access tokens.
  • Make sure that the correct phone number and email address are specified in the account settings: attackers could change the data so that the link or code to change the password is sent to them. If they managed to do this, change it back to yours.
  • Set a new password that is strong and one that you don't use anywhere else. If you're not sure you can remember it, save it in a password manager. By the way, at the same time the program will help you come up with a reliable combination.
  • Turn on two-factor authentication to make it harder for attackers to break into your accounts, even if they know your password.
  • After that, be sure to check all your devices with a reliable antivirus to make sure that they are free of malware. Attention to security settings along with good protection will make your account your fortress.
Tips

Air sellers in online stores

We tell how scammers deceive users of a well-known marketplace using a fake product payment page.

Subscribe to our weekly newsletter
  • Email*
  • *
    • I agree to provide my email address to AO Kaspersky Lab in order to receive notifications of new publications on the site. I can withdraw my consent at any time by clicking on the "unsubscribe" button at the end of any of the emails sent to me for the above reasons.

Hacking Instagram accounts through copyright infringement notices

Gained a few thousand followers on Instagram? Even more? Congratulations! You are a real celebrity! But in addition to laurels, well-known Insta bloggers have a greater risk of account theft. Not so long ago, scammers invented a new scheme to hijack popular Instagram accounts. We will tell about it now.

"Your account will be permanently deleted due to copyright infringement," the email reads. It looks quite official: here you have both the official header and the Instagram logo, and the sender’s address is very similar to the real one – in most cases it is mail@theinstagram. team or [email protected].

The notice says you have only 24 hours (48 hours in some versions) to file your appeal. In the letter itself, you will also find a button for appealing the complaint - Review complaint. If you click it, you will be taken to an extremely believable phishing page.

This page tells you how much the service cares about copyright protection. But the most important thing is that there is a link on the page, according to which you can allegedly appeal the deletion of your account. To make everything look even more natural, the page has a long list of language choices, but it's there only for show - whatever you choose, the page is displayed exclusively in English.

After clicking on the account deletion appeal link, you will be prompted to enter your Instagram account information. But that's not all - then a new message appears: "We need to authenticate your application and make sure that the email address matches the one specified in Instagram. " If you agree to address verification, a list of possible domains will appear on the screen. Selecting one of them, you will see a prompt to enter an email address and (suddenly!) password from it.

You will then see a message for just a few seconds that your request is being processed, after which you will be redirected to the real Instagram site. This is another trick that adds credibility to the scam.

This is not the first time popular Instagram users have been targeted by scammers. Recently, a wave of thefts took place under the pretext of obtaining a blue checkmark - a verification badge (Verified Badge).

How to protect your Instagram account

As soon as your username and password are in the hands of attackers, they will gain access to your Instagram profile and be able to change data to recover it. They can then demand a ransom to get the account back, or start sending spam and other malicious content from it. Not to mention what "open spaces" in front of them will open the password from your email.

Here are some tips to help keep your Instagram account safe:

  • Don't click on suspicious links.
  • Always check the URL in the address bar. If instead of Instagram.com something like 1stogram.com or instagram.security-settings.com is written there, in no case do not enter any personal data and generally close the page as soon as possible.
  • Only use the official social network app installed from the official app store (eg Google Play for Android or App Store for iOS).
  • Do not enter your Instagram account information to sign in to other services and applications.
  • Turn on two-factor authentication in your Instagram and email service settings.
  • Use reliable protection that will filter out suspicious emails and prevent you from opening phishing pages. For example, Kaspersky Internet SecurityPLACEHOLDER> can do all this.
Tips

Air sellers in online stores

We tell how scammers deceive users of a well-known marketplace using a fake product payment page.

Learn more