Several days ago, Instagram announced that it had fixed a vulnerability that had apparently previously allowed unauthorized parties to obtain the email addresses and phone numbers associated with Instagram accounts, even when such information was supposed to be private and inaccessible to parties other than respective account owners. Armed with the pilfered information, criminals could potentially have attempted to trigger and intercept password reset messages or to phish or otherwise social engineer Instagram users - which may explain how Gomez's account was breached.
Before the bug was fixed by Instagram, a hacker, or group of hackers, apparently stole a significant amount of data which he/she/they are now offering for sale online at a price of $10 per record (payable in Bitcoin, naturally), terming the searchable database of pilfered Instagram information "Doxagram." The Daily Beast claims to have verified some of the data supplied by the hacker/s as authentic.
The party (be it a he, she, or they) responsible for Doxagram says that it amassed data from over 6 million users. Of course, Instagram has over 700 million active monthly users, so 6 million is less than one percent of the total Instagram userbase - but, it still represents many potentially unhappy people.
Among the accounts whose data was stolen were reportedly those of Kim Kardashian, Leonardo DiCaprio, Beyoncé, Taylor Swift, and even the official White House account.
Doxagram has had periodic outages as various service providers take steps to take it down - but appears to be accessible at the present time via the Tor network. Earlier today the person or people behind Doxagram appeared to be tweeting using the Twitter handle @doxagram_insta; Twitter has since suspended that account. Ironically, shortly before the Doxagram account was shut off, its operator tweeted a reminder for anyone using the system to purchase stolen data to "Please keep your login information safe. Use a strong password. We can't do anything if your credit gets used by someone else." Yes. That would be hackers advising people buying stolen information how not to become victims of hackers.
So, how can you best protect your Instagram account?
1. Use multi-factor authentication.
2. Use a unique, strong password. For advice on how to select a strong, easy to remember password please see my article, How to Create Strong Passwords That You Can Easily Remember.
3. As Instagram has pointed out, "Be vigilant about the security of your account, and exercise caution if you observe any suspicious activity such as unrecognized incoming calls, texts, or emails." Do not respond to emails or texts asking you to reset passwords or the like. Never click links in emails or text messages in order to access Instagram; instead, access the social network via the app or by typing https://instagram.com into a web browser.
4. If you ever receive an Instagram password reset email and you did not request a password reset - contact Instagram. To do so tap the '...' menu from your profile, select "Report a Problem," and then select "Spam or Abuse."
Doxagram Twitter feed as seen on Tuesday, September 5, 2017.
COMMENTS