Last updated: 11 September 2017
Following an API vulnerability 
privately reported by Kaspersky Lab to Instagram, the Facebook-owned service issued a warning to its high-profile users, urging them to use 2FA to protect their accounts, as well as to exercise caution in relation to suspicious emails, phone calls and text messages. The security hole caught Kaspersky Lab’s attention after their researchers spotted celebrities’ personal details being offered for sale in an underground forum.
Shortly after reporting the initial news of the Instagram breach, security publisher Ars Technica received an email from a person who claims to have pilfered details of six million Instagram accounts. This person also claimed that they are now peddling the phone numbers and email addresses of these accounts on an online blackmarket store, selling them at $10 a search. Each search yields a phone number or email address, if available. To establish their credibility, the hacker provided a sample of 10,000 records, which after further investigation by Ars, appear to be genuine.
Kaspersky Lab reported that the flaw relied on exploiting an older version of the Instagram app released last year, and that it utilized the password-reset option. Instead of directing the password-reset request to Instagram’s servers, the attackers sent it to a web proxy. This enabled them to get their hands on the request’s code, replace the original username with that of a targeted celebrity, and then forward it to Instagrams’ genuine servers. The latter, in turn, replied with the targeted celebrity’s email address and phone number.
Instagram has since patched the API hole, and according to its statement the bug could only be “used to access some people’s email address and phone number even if they were not public. No passwords or other Instagram activity was revealed.”
Was the vulnerability in question tied to the Selena Gomez Instagram incident, in which private pics of her ex were unknowingly posted on her account? Looking at the Instagram statement, and the records being sold in the underground, no passwords were revealed—so there is no clear connection. Theoretically, one could use the pilfered phone number and email for an attack involving social engineering, such as a phishing or SMiShing attack.
In any event, by turning on two-factor authentication, Instagram is urging its users to step up their security. With 2FA enabled, each time an account is accessed from a new or unrecognized device, Instagram users are required to enter a one-time-passcode sent to them via an SMS text message, substantially mitigating the risk of various types of abuse and exploits.
How do you protect your users from an incident like Instagram’s breach? Learn how multi-factor authentication can help you thwart different types of attacks. Read the Security Survey of Strong Authentication Technologies – White Paper, or visit Safenet.Gemalto.com/Multi-Factor-Authentication.
