The Facebook-owned photo-sharing application Instagram has reportedly fallen victim to an attack, which appears to have originated in Russia, according to news from The Sun. Both Mashable and Reddit have reported a surge in the use of the word "hack" in tweets related to Instagram accounts. Additionally, Google Trends shows that a significant jump in searches for "Instagram hacked" occurred 7-11 August.
A tweet storm continues to thrash on Twitter, resulting in a social media meltdown that's revealing widespread user frustrations over the lack of response from Instagram.
One user tweeted, “your help center is so unhelpful. How an i supposed to gain access to my hacked account if all you want to do is send an email asking me to reset my password and that email has been changed to theirs???”
One user advised Instagram users to immediately activate two-factor authentication. "I very much doubt 2FA was in use in the hacked accounts, so switching on 2FA will certainly prevent this type of attack,” said Andy Norton, director of threat intelligence at Lastline.
However, there have been anecdotal reports that some accounts were using the layered protection of 2FA.
“Although this is an excellent security control and should always be used, it's not foolproof and can be defeated if someone is either able to take control of the mobile phone number that receives the text message code or if they can trick the account holder into visiting a fake version of the real website that interacts with the real website and prompts the user to enter the two-factor code,” said Rob Shapland, principal cybersecurity consultant at Falanx Group.
While the account takeovers all seem to be linking to Russian email addresses and could indicate an attack from a Russian hacking group, it remains possible that another group is pretending to be Russian.
“Having a hacked account associated with a Russian email address may well signify that the attacker is a resident of that country, but it is certainly not a foregone conclusion. Email addresses are easily spoofed, either to conceal identity or to encourage finger-pointing toward the wrong place," said Lee Munson, security researcher at Comparitech.com.