11 comments

[ 5.8 ms ] story [ 40.4 ms ] thread
This was a great story but was there ever a follow-up article? Did the hacker get to the USA?

Also, can anyone shed some light on how hackers can keep breaking into instagram and twitter accounts that have just been stolen? I assume they aren't brute forcing it, how is it that the hacker in this story felt like he couldn't keep it secure?

I don't have first hand knowledge, but if I had to guess, likely social engineering customer support.
The hackers could be creating an API auth token after getting the first password. So you change the password, but the auth token is still valid. They can't use the normal Twitter interface, but they can do whatever the API lets them do...send tweets, etc.
I suspect social engineering. it's pretty common these days for everyone to give live sessions to connect with their followers and keep answering personal questions. Don't be surprised, when asked by the followers, most of them are ready to share all personal details from dob to mothers full name. I have noticed many times, the accounts got hacked right after a live session.
Pretty nice read, and I too am curious about how these hackers manage to steal handles, especially the part where the hacker himself admits that there are others out there who want to steal that handle - isn't basic security (no malware, secure email password and 2FA) sufficient?
A hacker stole my IG account. They found my phone number then called AT&T in the dead of night and convinced them to forward my number to a Google Voive account. Then they contacted my web host and used the number to verify it was “me”. From there they had everything they needed.
That is terrifying. How can you prevent someone from being able to do this?
Maybe don't submit your cell phone number as your official contact? Submit a number that is less prone to social engineering changing it, like a VoIP provider number that has no live human support.
I don’t know how they got my number. AT&T said I should have a verbal passcode one the account AFTER the damage was done. That would have been helpful for them to mention when I set up the account. Or you could buy a prepaid burner and use that.
If you use 2FA through an app instead of receiving text messages (assuming the service in question supports this) that would limit the ability to use the social engineering angle.
A proper mobile provider. Failing that, don't use your phone number for anything security-related (no SMS 2FA, etc).