How to protect yourself before and after an Instagram / Meta hack

How to protect yourself before and after an Instagram / Meta hack

If you receive a text like this one, it appears to be (and is) a legitimate one from Meta. However, you are very likely being hacked!

No alt text provided for this image

I get contacted on a regular basis about hacked accounts and how to recover them. This particular case had me stumped for a while; ingenious hackers were able to re-gain access to an account after it was reset by Meta, even after they had completed facial verification and ID checks... with multi-factor authentication switched on!

The Short Version (TL;DR)

  • Ensure you have multi-factor authentication (MFA) on all accounts, where available. Where MFA is unavailable, use a strong password and a password manager
  • NEVER click on a link or send a screenshot of a message to "a friend" (hacker)
  • If you have been hacked and are able to recover your account, reset your backup codes immediately and turn on multi-factor afterwards (do not assume that just because you have recovered your account, that the hackers no longer have access!) - details below
  • Use an authenticator app (vs SMS) for multi-factor authentication

The Full Version - What Actually Happened?

I was contacted by a friend who tried to get their Instagram account back.

No alt text provided for this image
Under attack!

He had accidentally shared information with one of his supposed friends (also a hacked account) that allowed the hackers to take control of his own account.

After he eventually recovered his account, I was amazed and honestly quite impressed that the hackers managed to re-gain access, even though he had multi-factor authentication turned on. At first I thought they might have access to his email account, but they didn't.

I like to try and work out how sophisticated hackers really are; engage in some conversation and work out how they did it.

I pretended I didn't know my friend had been hacked (again!) to see how long it might take for them to target me:

No alt text provided for this image
Initiate dialogue to pretend I think he's got his account back

Sure enough, later that day...

No alt text provided for this image
They worked out how to trigger a password reset for MY account, which resulted in the legitimate Meta SMS with a password reset link

I received an SMS link from Facebook shortly after to reset my password. Obviously I didn't click on it or copy anything and send it back to them.

If I had done so, they'd have likely taken control of my account too if I wasn't careful.

It transpires when they gained access to my friend's account, they copied the MFA backup codes, and used them to get back in.

After Meta had completed ID checks including facial verification (this in itself was problematic - ensure you send them a video wearing similar clothing to some of your posts, with similar background if possible... may sound silly but it was necessary!) - they didn't reset the backup recovery codes for MFA! Which was madness, as it left his account wide open!

Recovery codes are in the Instagram app under Security > Two-factor authentication > Additional methods

No alt text provided for this image
"When you can't access your phone or email address"... AKA the hacker's back door!
No alt text provided for this image
The recovery codes

If you have the Backup codes, you can get back into an account even after the password has been changed... even with two-factor authentication on!

I raised this as an issue with Meta but they claimed that it's not a security flaw, it's "by design" - which to me seems ridiculous, that they would confirm 100% that an account is owned by a user who's been hacked (ID & facial verification etc.) but leave the backdoor open...

Whatever you do, keep your backup / recovery codes in a very safe and protected place. All (if not all) services that have a multi-factor authentication option should provide these codes.

Use an authenticator app instead of SMS where it is available, and turn off SMS as a multi-factor authentication method. It's a tiny bit more work (debatable) for a lot more security!

When we launched BLOKK it seemed like an obvious feature for us to build, to protect users from social engineering attempts such as this one, by blocking typical password reset URLs and flagging to the user they maybe under attack.

No alt text provided for this image
URL is blocked by default

The password reset URL is blocked by default. The user may have been trying to reset their own password, but more likely a victim of a social engineering or hacking attempt. This should highlight to them that there may be a problem.

No alt text provided for this image
The user can enable the site temporarily

We will be improving the messaging to reference specific risks of social engineering; however, the protection is there already and will prevent others from falling into the same trap.

Whether you use BLOKK or not, I hope this story helps to highlight an issue that I've since seen many times and helps to prevent it from happening again.

Quick reminder of steps to take:

  • Ensure you have multi-factor authentication (MFA) on all accounts, where available. Where MFA is unavailable, use a strong password and a password manager
  • NEVER click on a link or send a screenshot of a message to "a friend" (hacker)
  • If you have been hacked and are able to recover your account, reset your backup codes immediately and turn on multi-factor afterwards (do not assume that just because you have recovered your account, that the hackers no longer have access!) as outlined above
  • Use an authenticator app (vs SMS) for multi-factor authentication

Feedback welcome in the comments!

Edit: Not you, bot scammers... what is wrong with you? Did you even read the article? Of course not - you're bots!!! ?? Quick off the mark too... kind of impressive... three bot responses in 11 minutes... preying on people who had been in a similar situation to my friend - do NOT engage with them obviously...

No alt text provided for this image
Richard Lowe Jr

Multiple time Best Selling Author and Ghostwriter, with more than 100 books published

2 年

Great advice. I've also found it is possible to turn on MFA using several devices, so I have Authenticator on my phone and tablet. This helps regain my account if my phone is no longer accessible. By the way, I am a cybersecurity technical writer with 33 years of tech experience. Please feel free to connect with me.

要查看或添加评论,请登录

Gus Fraser的更多文章

  • Data Protection Day 2022 – Data Dystopia is here already!

    Data Protection Day 2022 – Data Dystopia is here already!

    Happy Data Protection Day 2022! I was invited by Santander Work Café to give a talk today (thank you for the…

    5 条评论
  • The Case for an Identity Verification Token Sale in Jersey

    The Case for an Identity Verification Token Sale in Jersey

    At Digital Jersey’s annual review, it was encouraging to hear from world renowned Identity and Blockchain expert and…

  • The Curse of Blockchain Washing

    The Curse of Blockchain Washing

    Not so long ago it was impossible to escape the word “Cloud” in any technology supplier’s marketing material. So much…

  • Lessons from Estonia: E-Government, Digital Identity, Health, IoT and Startups

    Lessons from Estonia: E-Government, Digital Identity, Health, IoT and Startups

    I recently returned from a trip to Estonia where I spent a week meeting various government departments and technology…

    7 条评论
  • National Coding Week - Get Involved!

    National Coding Week - Get Involved!

    It is National Coding Week this week - this morning I was talking to BBC Radio Jersey (listen again from 1:38) about…

  • Top 5 Cloud Myths

    Top 5 Cloud Myths

    In our line of work, we see how the true cloud offers unrivaled power, security and flexibility to businesses – but we…

    2 条评论
  • Our Connected World

    Our Connected World

    I was recently invited to the Microsoft UK HQ, where I delivered a talk, as C5 Alliance Group CTO and demonstrated how…

    1 条评论

社区洞察

其他会员也浏览了