How to steal an Instagram account

Short description

A security scare involving an authorization code sent via SMS from “Google” prompted a blogger to investigate. After reading forums, checking authorised devices, and changing the password, the blogger discovered how hackers can access accounts, highlighting the importance of observing 15 basic security rules. Their summary of how they hacked an Instagram account in 2015 reveals that the victim’s failure to use two-factor authentication or to disclose too much information about themselves in public access, and the phishing for credit card details through technical support were key vulnerabilities. The blogger recommends using virtual cards, not linking accounts to social networks, and avoiding identical data across multiple services.

How to steal an Instagram account

Having recently experienced a small security scare – I received an SMS with a “Google” code of the form G-******, I went to look for what it could mean. I don’t know about you, but this is not the first time for me, although nothing else usually happens after that. It is clear that this is some kind of authorization code, but to understand whether the SMS came by accident or on purpose, and where exactly did the attackers try to get into the account itself or some service tied to it? Although I suspect that it was a hacking attempt, Google didn’t tell me exactly what the hacking scheme was – so I never understood what bottlenecks I needed to secure. In the end, after reading the forums, checking all the authorized devices, and changing the password, I had to calm down.

Instead, in the process of searching, I found what I was not looking for: an example of the hijacking of Instagram (a service banned in the Russian Federation, recognized as extremist) in 2015, using holes in the support of Apple and Amazon. The case shows an example of the simplicity of hacking in the presence of knowledge of the work algorithms of third-party service support. This particular example is now safe for publication, but the principle behind the abduction remains relevant.

I’ve written before that hackers can’t hack into any of your accounts with the click of a finger, but only if you follow 15 basic security rules. Here’s how I once hacked the account of an Instagram victim (back in 2015) who didn’t follow these rules:

1. The victim’s Instagram profile contained a link to her personal website.

2. I found a Gmail address on the site.

3. I started the Gmail password recovery process.

4. Gmail notified me of an Apple email linked to the mailbox, where it will send a link for recovery.

5. I needed to crack the Apple box, for that I called AppleCare tech support, where they asked me for my name, address and 4 digits of my credit card.

6. I was able to find out the address of the victim by punching the owner of the site through publicly available information about whois domains.

7. To determine the credit card numbers, I called the support of the site that knew exactly the victim’s credit card – Amazon. There I asked to add a new credit card (my fake one), introducing myself as the owner, I was asked for the address, name and email – all this I already knew

8. Next I called Amazon again, asked to restore access to the account, they asked for my name, address and credit card number – I gave the fake credit card number and they granted me access 👏

9. And in the Amazon account, I found the victim’s real credit card, after which I called AppleCare again, telling them what they wanted – the name, address and 4 digits of the credit card.

10. After accessing Apple mail, I reset my Gmail password, and after accessing Gmail, I reset my Instagram.

What rules did the victim break? She did not use two-factor authentication, disclosed too much information about herself in public access, did not use virtual cards (one for each site!). I am generally silent about the technical support of the sites – phishing will always work.

The main problem is immediately visible: the same fragments of information about us are stored in different places on the Internet. Replace Apple with “” and “Amazon” with “Ozone” – and it will become clear that the conclusions from this case are more than relevant. Modern security protocols of the largest services are constantly improving, but here the problem turned out to be that some key data for hacking more secure services can be written in open form in some less secure places.

The advice to use two-factor authentication is common knowledge, and it’s likely that laziness rather than ignorance is stopping most people from using it now.

The weakness of Apple and Amazon’s technical support in this scenario is simply outrageous. But this is an important argument for not storing card data on any services. Many are afraid, rather, that the service will write off something extra. And one should be afraid that these data may become a link in the hacking chain of something more significant. Where card binding is an important issue of convenience (subscriptions or regularly used services such as taxis), virtual cards should be used.

Fortunately (and this is a rare advantage for a Russian user), thanks to the Fast Transfer System, transferring money between accounts in different Russian banks does not cost a penny, and you can get a virtual card everywhere for free.

Hacking any delivery service will give a more accurate address today than whois can in principle – right up to the apartment.

What’s once on the internet stays there forever, so if you’ve been throwing your real credentials around the internet left and right, you’ve already accumulated a decent amount of incriminating information that can be used against you by hackers and scammers and detractors.

All of our enemies begin their hunt for us by analyzing our public data—what we have shared about ourselves and published online. For example, your innocent nickname used in an online game or on a forum, you may also have used in the past on a classifieds site. Thus, the hunter’s first step for you is transformed into the second – he found you on another website by your nickname, and this nickname had a “lit” phone number on the website you forgot. Then the snowball grows: the second step turns into the third – the hunter punches the owner of the phone number through merged bases or through services on the darknet. In the fourth step, your real name and place of residence are already known, and the further development of events depends on the intentions of the attacker.

To avoid this development, get into the habit of using unique logins/nicknames/names/avatars and email addresses when registering on each new site. There are a lot of services like this, which allows you to get a temporary mailbox for registration on each left site, so as not to burn yourself once more. Also, do not use on sites where you would like to remain anonymous, data that you have already associated with yourself somewhere before: links to your blogs and social networks, avatars, nicknames and even gender.

  • The less data you store about yourself in the profiles and settings of various services, the less chance you leave for someone to harm you in the future.

  • Do not trust the same data to different services: use virtual cards, additional or disposable email addresses, get a second SIM card for spam and registrations, do not link accounts to social networks.

PS Google, and other services, should actually indicate the context in the SMS with the codes: from which service and/or for what purposes they are requested. This is what banking services do, indicating both the amount and often the purpose of the transaction. Given how much is currently tied to any global services such as Google, Yandex, and, they all need to adopt banking standards for notifications: because through access to them, users’ bank accounts, or worse, can to be at arm’s length from the intruder.

Related posts