Ask HN: My Instagram account stolen – any ideas how?
I have (had!) a 2 letter Instagram account which although dull (read: family pics), was pretty popular with people trying to get hold of it. I received "password reset request" emails most days and people routinely offered to buy the account. I often pressed the "report to Instagram" link in the emails but that didn't seem to make any difference to the flow.
I tried to be careful so used Lastpass to generate and store my passwords. I just checked on grc.com/haystack and the password used had a search space size of 4.45 x 10^31 (or a "Massive cracking array" would take "1.41 hundred million centuries"). The account email was in the format [unique string]@mydomain.com.
I use Gmail for my email and it doesn't look like my account has been accessed by anything suspicious. I live/work in the middle of nowhere (literally fields all around) so stealing tokens over my wifi seems unlikely. I use iOS devices and have only ever accessed Instagram on Chrome a couple of times.
I've reported it to Instagram but my question to HN is how could this have happened? What else should I look for to check other areas of my digital life haven't been compromised? Considering the desirability of a two letter account name, it seems likely this was a social engineering attack on Instagram support staff. Sadly, humans are often the weakest link. Hope you manage to get your account back with all the photos intact. Yeah, I hope it was social engineering (seems a better option than hacking Lastpass :-) ) but not sure how they could have done it given the information that was on the account/unique to the account. Will be interesting to see if Instagram return the account to me. That sucks. Does Instagram support MFA - i can't see a configuration mechanism for it on my account. Seems like a bit of a gap in their identity system? I have MFA set for the same Twitter handle but couldn't see it on Instagram. I thought that by reporting all the erroneous "password request" emails they might have flagged something (not sure why they have that link in the email if it doesn't do anything). Obviously I'm seriously small-fry so wouldn't expect any kind of special treatment but not having MFA does seem to be a bit lacking. Absolutely, without it i'm amazed that accounts aren't being brute forced by the thousand? Maybe i'm missing something in the UI