Ask HN: How does my Instagram keep getting compromised?
Over the years, hackers have tried a number of things to steal my handle and I can usually tell how they get in. These days, I have no idea. I've been SIM swapped a handful of times. One time a hacker faxed a fake ID to Godaddy to try and swap out my domain to gain control of my email (they were successful).
Now, I will try to log in to my account and will just be locked out. The email I created specifically for Instagram is not recognized, and there is no way to reset my password.
I have two-factor auth on, I don't use the same password anywhere else, I change it regularly, etc.
My current theory is there is some employee at Meta that's ultimately stealing the account. Does anybody have any idea how they're hacking me?
PS: the worst part about all this is in order to get the handle back, I have to pull strings with folks I know at Meta, for a normal user, they would have absolutely no way of regaining access...
[Update] Just got the account back and still have no idea how my email was removed from the account...
[Update 2] Reviewing the security section I see a password reset email was sent to [username]@instagramz.com. No clue how or who changed the account email to that though.
117 comments
[ 3.3 ms ] story [ 178 ms ] threadhttps://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
This happens all the time, there is no recourse. Instagram employees are constantly taking usernames for themselves.
So they frustrate users long enough to eventually give up on constantly reclaiming the account, then they get it for themselves to sell or whatever.
[1] Ok, this is a little unfair. They do have customer service, but what they don't have is product service, and this guy is just part of the product, not a customer.
E: Oh yeah, there was also the whole "trademarking" thing that was used to steal generic names from active accounts using obviously invalid trademarks. https://www.vice.com/en/article/zma3w4/scammers-fake-tradema...
In the old days, I remember people going after short domains in the same manner. ICANN ended up adding locking (auth codes) - perhaps IG and other social sites can learn from it.
Be safe!
[0]https://darknetdiaries.com/episode/106/
Good luck defending your handle!
https://gimletmedia.com/shows/reply-all/v4he6k
https://gimletmedia.com/shows/reply-all/v4he6k
tl;dr There's underground marketplaces where shady people buy and sell OG usernames for money, which creates an incentive for shady people to steal them from the original owners.
Or they decouple followers from the username so the username becomes a transient thing, which then gets ignored, and becomes worthless?
https://www.nytimes.com/2021/02/04/style/instagram-account-f...
You’ll be amazed how much googling I do when having conversations with friends - I wasn’t born in the West and things like movie references leave me confused af! But I hide it… thank goodness for urban dictionary
Other examples like this are whether numbers are spelt out (eg one vs 1), and at what point that changes (eg spelling out "ten" but writing 1,000)
But yeah, depends on the organisation.
Check out how the New Yorker deals with the word co-operation :P
Having a native language where this letter is very much present and carries phonetic meaning, it completely trips me up. It annoys me almost as much as when people use the equivalent letter Ø instead of the actual ∅ for "empty set". I'd probably even choose ⦰ but of course all of these choices require some awareness that a character is "taken" as well as some measure of consideration for people other than yourself and those just like you.
End of old man rant.
[1]: https://www.newyorker.com/culture/culture-desk/the-curse-of-...
Capitalization or lack thereof can indicates tone - e.g yelling etc.
For example - What’s up mf! (greetings) vs. What’s up MF! (fight/challenge)
I remember the ICQ days where the shorter your ICQ number, you are the OG of OG's..
> slang: someone or something that is an original or originator and especially one that is highly respected or regarded
If you're only using this via the app from a mobile device, then malware is an unlikely explanation though.
(Why are you regularly changing the password anyway? What's the threat model you're trying to guard against?)
Now, my account gets taken without any noticeable trace on my end. No security emails, no suspicious login attempts, nada...
https://news.ycombinator.com/item?id=7598226
NSA employees do it, why would META employees would be better than the average?
I never even figured out why the "Royals" wanted specifically @sussexroyal or whatever it was so badly. The Royals can't even be like the rest of us and pick a handle that is available, they have to be like "well no we deserve this one even though someone has it already"
You don't own digital assets in any sense (excepting crypto, which is a whole other set of problems), at best you have a contract with some rights of use.
One of the largest classes of digital assets are personal files on individual phones and other personal computers. So yes, sometimes you do very clearly own digital assets (and no, a link about one time where some government broke the law and stole someone's files doesn't refute that).
Your personal photos on your PC are digital, they're a digital asset, and you do own them. No contract necessary. The same is true for all sorts of other types of personal digital files you might hold as personal property, from spreadsheets to backup email records to pdf files of contracts and on it goes.
But most people don't even own that!
Apple can unilaterally and arbitrarily decide at any time to lock your phone remotely and 100% disable your access to iCloud.
You're correct about stuff which is more bare metal than a phone like a hard drive with data on it, but, I would argue that that only encompasses a tiny if not non-existent amount of data for an average (not HN) user these days.
Where could you even do this?
Her Instagram Handle Was ‘Metaverse.’ Last Month, It Vanished.
There was another user here the other day who had their heavymetal community page hacked, and facebook's advice page was to "politely ask the new owner to let them back in" [1].
Absolutely ridiculous.
[1] https://news.ycombinator.com/item?id=29706571
The strange thing is when I try to appeal I get this page.
"Security check To confirm your identity, we will text a confirmation code to your phone."
I select my phone number, and receive the right SMS, but it says
"Error Sending SMS Could not send confirmation SMS. Please check the phone number and try again."
So I cannot actually enter the code.
I also have 2FA enabled and this doesn't seem to have been breached.
On deviced that are still logged in I see them telling me I have posted something that is in typical photos grid format, but they don't show me what the photos were. When I press the button to request review, it does nothing.
<https://savolai.net/uncategorized-en/banned-from-facebook-an...>
This was my first thought given the e-mail address change. Someone e.g. bribing a support person.
My (uninformed) guess would be that given that you got the account back, this probably got escalated, someone looked at it, fixed it, and hopefully got the criminal support person's access disabled, until the next one gets bribed...
You will be forever fucked, as big as Meta/Facebook/Instagram's exploit attack surface is. Microsoft/Office/Xbox is in a similar position as well.
early lucky adopters not employees will always have their accounts poached constantly on every common platform. eventually those who have the names paid for the 'rights,' or defend it communally.
yes, communally - it is a literal racket of cybergangters on every platform leveraging anything from social engineering your doxxed naive grandma into reading a private key to 0-daying your teamviewer to install a common keylogger.
bribing csr's is extremely common, as is sim-swapping (bribing att/verizon csr's), and there are a myriad of attack vectors in between
but of course 94% are just script kiddies using a "turbo"/api-spammer to take the username between other 3rd party transactions. it's a parasitic economy of bottom-feeders and iGangsters.
ha....someone stole this domain or hijacked/spoofed an email chain in the password reset api. you should be honored.
>Last updated from Registry RDAP DB: 2021-12-28 06:35:41 UTC
it of course still resolves to instagram.