[HN Gopher] Ask HN: How does my Instagram keep getting compromised?
___________________________________________________________________
Ask HN: How does my Instagram keep getting compromised?
I was an early Instagram user and got my nickname as my handle and
I keep getting either locked out of my account or compromised
altogether. Over the years, hackers have tried a number of things
to steal my handle and I can usually tell how they get in. These
days, I have no idea. I've been SIM swapped a handful of times. One
time a hacker faxed a fake ID to Godaddy to try and swap out my
domain to gain control of my email (they were successful). Now, I
will try to log in to my account and will just be locked out. The
email I created specifically for Instagram is not recognized, and
there is no way to reset my password. I have two-factor auth on, I
don't use the same password anywhere else, I change it regularly,
etc. My current theory is there is some employee at Meta that's
ultimately stealing the account. Does anybody have any idea how
they're hacking me? PS: the worst part about all this is in order
to get the handle back, I have to pull strings with folks I know at
Meta, for a normal user, they would have absolutely no way of
regaining access... [Update] Just got the account back and still
have no idea how my email was removed from the account... [Update
2] Reviewing the security section I see a password reset email was
sent to [username]@instagramz.com. No clue how or who changed the
account email to that though.
Author : china
Score : 151 points
Date : 2021-12-28 17:42 UTC (5 hours ago)
| toomuchtodo wrote:
| Have you tried reporting this to Meta's security team and copying
| your state's attorney general? Sounds like the CFAA would apply.
| You may not win, but making noise may help, and if it's an
| insider they might be fired if Meta knows the legal apparatus is
| notified.
|
| https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
| china wrote:
| I haven't yet... so far I have always been able to get it back
| via a friend at FB.
| toomuchtodo wrote:
| Get on record with law enforcement and state legal reps.
| Unauthorized authorization is a federal crime, and a paper
| trail is crucial for seeking recourse.
| tpoacher wrote:
| Meta just seems to be superhackable with the company not giving a
| shit these days.
|
| There was another user here the other day who had their
| heavymetal community page hacked, and facebook's advice page was
| to "politely ask the new owner to let them back in" [1].
|
| Absolutely ridiculous.
|
| [1] https://news.ycombinator.com/item?id=29706571
| FDSGSG wrote:
| > My current theory is there is some employee at Meta that's
| ultimately stealing the account
|
| This happens all the time, there is no recourse. Instagram
| employees are constantly taking usernames for themselves.
| leftpass wrote:
| Not just themselves, often it's stolen to order: there's been a
| few mainstream stories about this and they often mention that
| paying off Facebook employees is pretty commonplace because the
| value of these usernames and the low paid customer service
| representatives are a recipe for bribery.
| tmp_anon_22 wrote:
| Seems like employees can manually escalate accounts into a
| locked state and my guess is if it remains in that state long
| enough its easier to claim.
|
| So they frustrate users long enough to eventually give up on
| constantly reclaiming the account, then they get it for
| themselves to sell or whatever.
| KaiserPro wrote:
| wait what? how are they not fired, thats got to be against the
| "community guidelines" (unless of course its for an advertiser
| or political organisation. )
| jandrese wrote:
| I assume they aren't emailing Mark Zuckerberg with every
| account they steal. All it takes is lax internal auditing and
| a culture where customer service[1] is not valued and this
| could go on for a very long time.
|
| [1] Ok, this is a little unfair. They do have customer
| service, but what they don't have is product service, and
| this guy is just part of the product, not a customer.
| rich_sasha wrote:
| Interesting, do you have any links to that end?
| FDSGSG wrote:
| Just my personal observation. I earned around half a million
| dollars by running an "autoclaimer" that would automatically
| register Instagram names as they'd become available. I'd
| regularly see Instagram employees grabbing names from my
| portfolio for themselves.
| Rastonbury wrote:
| How do valuable usernames 'become available'? Like the
| person deletes their account?
| FDSGSG wrote:
| People deleting their accounts, or trying to sell their
| usernames and messing up the transfer.
| vanusa wrote:
| If you could post before / after screenshots showing proof
| of this theft somewhere - along with the real-world names
| of these employees -- that might get a lot of eyeballs.
| pshc wrote:
| I can understand the company pulling usernames from an
| automated name squatter... but I wonder if this happens to
| fully established accounts too?
| FDSGSG wrote:
| Well, I tracked the previous UIDs and saw a lot of names
| that weren't squatted getting released and shortly after
| ending up with Instagram employees.
|
| E: Oh yeah, there was also the whole "trademarking" thing
| that was used to steal generic names from active accounts
| using obviously invalid trademarks.
| https://www.vice.com/en/article/zma3w4/scammers-fake-
| tradema...
| Inityx wrote:
| Wow that's a shitty thing to do
| FDSGSG wrote:
| Meh, it's their site. It's just weird that they don't
| seem to have any controls around this.
| edm0nd wrote:
| Dont hate the player, hate the game.
| stunt wrote:
| This is not kind of game that they're forced to play. So
| hate both.
| hurril wrote:
| Should be easy enough to post a list of stolen accounts
| someplace public.
| JSONderulo wrote:
| https://www.nytimes.com/2021/12/13/technology/instagram-hand...
|
| Her Instagram Handle Was 'Metaverse.' Last Month, It Vanished.
| slater wrote:
| And then she got it back.
| edm0nd wrote:
| You should tie your IG account to a Google Voice number instead
| of a your cell that way it cant be SIM swapped.
| leeroyjenkins11 wrote:
| Ok, so I had a similar situation. What it was is that I signed up
| for insta pre Facebook merger. Then I connected my Facebook
| account to insta. So my old username password combo were
| compromised because I re used them when I was a moron when I was
| younger. So someone gained access via the original Instagram
| password and username, changes my email. Then I would login via
| Facebook and have access at the same time. The different geo
| locations and unusual activity caused my account to be locked
| periodically. When they unlocked it I logged in quick, changed
| the email address and password on the account on the Instagram
| side and enabled 2 factor and haven't had an issue since.
| iKlsR wrote:
| I'd auction and sell it and be done with the headache personally.
| It's likely one day your meta well will dry up and that will be
| it, years of back and forth to see the handle gone and promoting
| crypto eventually or some crap.
| gaws wrote:
| > I'd auction and sell it
|
| Where could you even do this?
| Jamie9912 wrote:
| I believe there's a website called ogusers, I can't
| personally vouch for it, but I've heard from friends that's
| what they use
| [deleted]
| leftpass wrote:
| Many companies forbid the sale of usernames in their terms of
| service, so an attempt to auction it off could result in it
| being revoked. Generally, when sales of usernames do happen,
| it's in private so there's little reason to take action... it's
| why there's no reputable marketplace for usernames.
| tclancy wrote:
| This is what a friend did in the exact same situation. He just
| moved into the house he built with the dough. Life is weird
| now.
| barbazoo wrote:
| Someone at Facebook stealing your domain is quite an accusation.
| Assuming your domain was similar to your username/IG handle,
| wouldn't it be more likely to be people wanting your "china"
| domain for spam/malware/propaganda/etc?
| cronix wrote:
| Publicly pondering a theory is an accusation now?
| barbazoo wrote:
| It read to me like that, yes.
| klohto wrote:
| Not really. It already happened several times since short
| usernames go for crazy amounts.
| jmnicolas wrote:
| > Someone at Facebook stealing your domain is quite an
| accusation.
|
| NSA employees do it, why would META employees would be better
| than the average?
| barbazoo wrote:
| I wouldn't count a NSA employee as "average", I'd assume they
| have access to tools the "average" doesn't have. Comparing
| that to someone at Facebook just doesn't make sense.
| stunt wrote:
| I guess he didn't meant the guy from marketing. But mods
| and customer support people do have admin access over
| accounts.
| cruelty2 wrote:
| china wrote:
| I think the stealing of my domain was a bit of social
| engineering by a hacker (not somebody at FB).
|
| Now, my account gets taken without any noticeable trace on my
| end. No security emails, no suspicious login attempts, nada...
| andkon wrote:
| Contra the above dude, I don't think it's all that strange
| for Facebook employees to profit directly off of their access
| to these systems. See this article about how employees charge
| for verifications: https://mashable.com/article/instagram-
| verification-paid-bla...
| [deleted]
| gecko39 wrote:
| I had a two letter name which got hacked. I called in a favor
| from a friend of a friend at instagram/FB and got it back.. then
| it happened again and I didn't want to ask the favor again. IIRC
| they did not yet have 2FA even though I asked for it ( I was
| assuming it would happen again and it did. )
| docdeek wrote:
| If your IG handle is the same as your HN handle, could it be some
| very motivated people from that country's bureaucracy looking to
| take that handle for the state?
| cronix wrote:
| Likely a phone call is all it would take and Meta would happily
| hand it over.
| Closi wrote:
| Assuming that China itself is trying to capture it, and not a
| rogue state that still wants to use the username for
| political means.
| cryptoz wrote:
| Instagram stole @sussexroyal from a real user, and gave it to
| some entitled "royals" who used the account for like a year
| before dropping it. So annoying how your handle isn't your
| handle, it's the company's, and they will steal your handle
| at a whim.
|
| I never even figured out why the "Royals" wanted specifically
| @sussexroyal or whatever it was so _badly_. The Royals can 't
| even be like the rest of us and pick a handle that is
| available, they have to be like "well no we deserve this one
| even though someone has it already"
| AdamJacobMuller wrote:
| > So annoying how your handle isn't your handle, it's the
| companies, and they will steal your handle at a whim.
|
| You don't own digital assets in any sense (excepting
| crypto, which is a whole other set of problems), at best
| you have a contract with some rights of use.
| adventured wrote:
| > You don't own digital assets in any sense
|
| One of the largest classes of digital assets are personal
| files on individual phones and other personal computers.
| So yes, sometimes you do very clearly own digital assets
| (and no, a link about one time where some government
| broke the law and stole someone's files doesn't refute
| that).
|
| Your personal photos on your PC are digital, they're a
| digital asset, and you do own them. No contract
| necessary. The same is true for all sorts of other types
| of personal digital files you might hold as personal
| property, from spreadsheets to backup email records to
| pdf files of contracts and on it goes.
| zemnmez wrote:
| I would look at your email forwarding filters. It's common to see
| compromises with this pattern where the email for your account
| was compromised and all the email is being forwarded to an
| attacker.
| waschl wrote:
| This! Have seen this personally in multiple friend's mail
| accounts. This way it is "surviving" password changes, 2FA
| changes etc
| edm0nd wrote:
| instagramz.com is a legit domain owned by Facebook
| junon wrote:
| Sure looks like it, nameservers point there. Seems a
| Facebook\b\b\bMeta employee did this to you OP.
| theginger wrote:
| If you are using the nickname china and have registered it a lot
| of places, even if you are completely non political and in no way
| associated with the country China, I can imagine the existence of
| these accounts outside of the governments control is a risk the
| government will be willing to spend millions trying to get rid
| of. I'm not sure you can fight that, at least not by yourself.
| kasra85 wrote:
| On top of all security measures, Meta, Google and other big tech
| that offer Auth-as-a-service need to offer paid service to
| reclaim an account. I am sure people would be happy to pay to
| talk to a real human and take back their account.
| skyzyx wrote:
| This happened to me several years ago. My account got locked out
| and I had no way to contact a human to get it back.
| rootsudo wrote:
| Same, I was going to pen something to instagram legal and such.
| savolai wrote:
| My account seems to have gotten hijacked too. Someone has
| (apparently) posted something that's against community standards
| in my profile, as a consequence of which FB has disabled my
| account and says if I don't appeal in 30 days, the account will
| be disabled.
|
| The strange thing is when I try to appeal I get this page.
|
| "Security check To confirm your identity, we will text a
| confirmation code to your phone."
|
| I select my phone number, and receive the right SMS, but it says
|
| "Error Sending SMS Could not send confirmation SMS. Please check
| the phone number and try again."
|
| So I cannot actually enter the code.
|
| I also have 2FA enabled and this doesn't seem to have been
| breached.
|
| On deviced that are still logged in I see them telling me I have
| posted something that is in typical photos grid format, but they
| don't show me what the photos were. When I press the button to
| request review, it does nothing.
|
| <https://savolai.net/uncategorized-en/banned-from-facebook-an...>
| GenerocUsername wrote:
| pkrotich wrote:
| Your situation is apparently common nowadays with OG usernames
| and can get very dangerous. I had no idea this was a thing until
| I listened to an episode on Darknet Diaries [0] recently.
|
| In the old days, I remember people going after short domains in
| the same manner. ICANN ended up adding locking (auth codes) -
| perhaps IG and other social sites can learn from it.
|
| Be safe!
|
| [0]https://darknetdiaries.com/episode/106/
| JSONderulo wrote:
| Halfway through this pod. This is terrifying.
| china wrote:
| I'll have to listen!
| gkoberger wrote:
| Here's another podcast episode about it, and I remember it
| being really really good. They actually befriend a scammer who
| is pretty open about how it works:
|
| https://gimletmedia.com/shows/reply-all/v4he6k
| Apreche wrote:
| TL;DR: The only methods discussed in this episode are SIM
| swapping and password guessing. Neither of which are relevant
| for OP. Unless OP is lying, there must be some other method
| used.
| heurisko wrote:
| I'm not up-to-date with what OG means. Apparently OG "original
| gangster" usernames refer to common words such as "@Miracle",
| that were registered by early adopters.
|
| https://www.nytimes.com/2021/02/04/style/instagram-account-f...
| emptybottle wrote:
| Can be simply read as OriGinal
| edoceo wrote:
| Or that guy @slack on Twitter. Or @gusto on same
| wyclif wrote:
| The ultimate example to me is the nissan.com guy.
| edoceo wrote:
| Oh! How could I forget! Legend! And they had to get
| NissanUSA.com
| pkrotich wrote:
| Yes indeed - I thought everyone knew that /s :)
|
| You'll be amazed how much googling I do when having
| conversations with friends - I wasn't born in the West and
| things like movie references leave me confused af! But I hide
| it... thank goodness for urban dictionary
| delgaudm wrote:
| Looks up "af"
| PostThisTooFast wrote:
| tmaly wrote:
| urban dictionary can warp your belief in humanity.
| ww520 wrote:
| OG is the old gang of people, the original early
| founders/adopters/users.
| caseyohara wrote:
| OG means "original gangster": https://www.merriam-
| webster.com/dictionary/OG (see History and Etymology
| section)
|
| > slang: someone or something that is an original or
| originator and especially one that is highly respected or
| regarded
| vineyardmike wrote:
| Old Gang of people... the original gangster. This doesn't
| seem wrong. OG directly translates to Original Gangster,
| but is used to refer to the old crowd, the original
| people, the firsts, etc. In extreme example, it would not
| be considered incomprehensible (but perhaps strange) to
| say something like "native americans are the OG north
| american inhabitants"... really nothing to do with
| gangsters.
| hamburglar wrote:
| Technically true, but... if you say it means "old group"
| or "original gaggle" or "oldest goat," you should
| probably expect to be corrected, because it sounds like
| an implication that that's what OG actually stands for.
| supercoffee wrote:
| Reply All also did an episode about this a few years back.
|
| https://gimletmedia.com/shows/reply-all/v4he6k
|
| tl;dr There's underground marketplaces where shady people buy
| and sell OG usernames for money, which creates an incentive for
| shady people to steal them from the original owners.
| boppo1 wrote:
| How is my username made in the last 4 years different from an
| OG username?
| layer8 wrote:
| OG names are names that are (and always were) in high
| demand, and therefore were quickly taken. The fact that
| your name was still available means that it wasn't in high
| demand. OG names are being pilfered because they are in
| high demand and therefore highly valuable.
| fragmede wrote:
| Because all the good obvious ones are already taken. Simple
| ones like "kevin" or "a". Unless your name is super unique,
| your username from the last 4 years has some sort of quirky
| thing, like a weird spelling with extra letters or numbers
| to get around that.
| pkrotich wrote:
| It's like trying to register a .com domain - OG ones (short
| 2-4 letters) are only available in the aftermarket, and
| only if you have millions. You end up with along-ish name
| that's also taken - so end up with domainhq or .io or
| whatever is popular now.
| pkrotich wrote:
| Perhaps incentives don't line up... but I'm wondering if
| social media sites like IG should make renting out usernames
| a thing - obviously there's a market for it. If I'm taking
| social media hiatus, for example, I wouldn't mind getting
| paid while away.
| malux85 wrote:
| Sooooo how does that work? I rent your username while
| you're on holiday for a month and then spam your followers
| with crypto scams and viagra ads?
|
| Or they decouple followers from the username so the
| username becomes a transient thing, which then gets
| ignored, and becomes worthless?
| pkrotich wrote:
| I prefaced it with perhaps incentives don't necessarily
| line up... maybe there's a clever way to go about it. I
| was thinking it will be pre-approved category of
| content... there's already such model with sponsored
| content influencers post.
| pmlnr wrote:
| That is basically how domains work, but there are grace
| periods for recovery.
| Cypher wrote:
| Plot twist, you are the hacker
| ct0 wrote:
| This is a honeypot for new hacking ideas, right?
| jsnell wrote:
| What devices are you using the account on? If it's on a desktop
| browser, my assumption would be that you've got malware. That
| allows them to trivially steal the session cookies, steal the
| passwords the next time you log in, steal any device
| identification cookies that are used to control not using 2FA on
| logins from trusted devices / sending new device notifcations,
| and also hijack your recovery and notification email address.
|
| If you're only using this via the app from a mobile device, then
| malware is an unlikely explanation though.
|
| (Why are you regularly changing the password anyway? What's the
| threat model you're trying to guard against?)
| china wrote:
| 99% of the time I am on an iPhone, the other 1% (which is
| generally right after I have been hacked) is on a fully updated
| MacOS install.
| jakub_g wrote:
| Any browser extensions installed?
| tgsovlerkhgsel wrote:
| > My current theory is there is some employee at Meta that's
| ultimately stealing the account.
|
| This was my first thought given the e-mail address change.
| Someone e.g. bribing a support person.
|
| My (uninformed) guess would be that given that you got the
| account back, this probably got escalated, someone looked at it,
| fixed it, and hopefully got the criminal support person's access
| disabled, until the next one gets bribed...
| grouphugs wrote:
___________________________________________________________________
(page generated 2021-12-28 23:02 UTC)