Instagram users report account takeovers – change your password, now.
Here’s the news #nofilter: hundreds of Instagram users are reporting that their accounts were hacked this month, possibly the result of a so-called spam bot attack.
Many victims describe a similar story: they launched Instagram only to find that they’d been logged out of their accounts. Their user names had been changed, and their avatars had become animated characters from Disney and Pixar films. The email address and phone number associated with their accounts had been changed, too, and after requesting a password reset, they discovered that the new email linked to their account had a .ru (Russia) suffix.
Since there haven't been reports of deleted photos or other suspicious activity, experts believe the attackers may intend to use the compromised accounts as spam bots or as part of a future attack.
So, what should you do?
It’s not yet clear exactly how these account takeovers are happening.
But this much is clear: you should change your Instagram password to something strong and distinct. Crucially, it should be different from other passwords you use elsewhere on the internet. (It’s possible that the hackers used login credentials for Instagram that had been stolen during other large data breaches over the past few years.) Here are some tips on how to create strong passwords.
Also, revoke access to any suspicious third-party apps.
For additional security, enable two-factor authentication (2FA) on your Instagram account. And if you ever receive an email alert that this has been disabled, try to lock down the account right away. Is that enough? Maybe not. 2FA can be circumvented via phishing – either tricking someone into revealing the 2FA identifier or, far more likely, by getting them to log in to a fake version of the site they were intending to visit. What’s more, Instagram’s method of two-factor authentication—which uses only SMS text-based notification messages (in which you receive a verification code via text)—is notoriously weak.
The company has responded in a blog post that it’s working on implementing a more secure method of two-factor authentication. As well, Instagram communicated to their users, “We are aware that some people are having difficulty accessing their Instagram accounts. We have dedicated teams helping people to secure their accounts. If you have reached out to us about your account, you will hear back from our team soon."
Learn about the latest breaches, the biggest breaches, and what you can do to keep yourself and your information protected with our Avast Data Breach Survival Guide.
On May 2, celebrate World Password Day by leveling up the strength and complexity of these most critical of security measures — your passwords.