Here we have a confusing story, and one that if anyone can shed any light on, we would love to hear from you. A friend of ours had his Instagram hacked by someone who had hacked the Instagram of another friend of his earlier that week. This hacker had sent out all of the usual nonsense about fast cars purchased and holidays travelled because of an automated crypto-trading app. Now this is nothing new, and how they hacked that Instagram, we do not know, but the story gets interesting when it comes to how the Instagram of our hero was hacked.
The hacker, still pretending to be his friend, sent a text message containing a link. Now this link was not an Instagram link, and it did not come from a recognised number, but our hero had known this person a long time, and he may have changed numbers by now. So the hacker, posing as the friend of our hero, explained that our hero should not click the link, but instead take a screen shot and message it back to the hacker (posing as our hero's friend) using Instagram messenger.
So is this somehow an Instagram lost password link generated from outside the Instagram account in question? https://ig.me/qH3vf3YNxqoHbUO
From, the image (or possibly the message itself) of this link, the hacker was able to compromise the Instagram account of our hero, does anyone understand this? How could an image of a link sent through Instagram messenger compromise usernames and passwords?
So the new hacker owner of the site has changed all of the details and now we are struggling to recover the account. The hacker is now using the same method to try and take control of other Instagram accounts:
 |
So here is the hack:
Hi! how are you doing. I'm contesting for an ambassadorship spot at an online influencers program can you please vote for me?
The hacker gets you to send a text message fr4om him to his Instagram account via the inbuilt messenger, and he somehow takes control of the account with that???
|
 |
|
This is the original message received by the Instagram account. The user is still yet to recover their account from Instagram and awaits some form of human interaction. As far as we know there is no way to break into an Instagram account just by getting someone to send you an image of a link, but please correct us if you know better.
As stated previously, a friend of the account holder had already been hacked but there is still no information as to how the hack works.
If this is a security vulnerability within Instagram then it most definitely will need to be exposed to encourage action from Meta, but it does seem to be an odd exploitation.
What are the other possibilities, could they use deepfakery to get passed lost password authentication? Could they be using the image as advice to Instagram that the account was really theirs, and they were the ones who had been hacked?
We would love to hear about your thoughts and ideas in the comments section.
|
This definitely happening to other people, but we still cannot see how it works: https://www.reddit.com/r/Instagram/comments/taq9sf/potential_scam/
If this is a real vulnerability, can anyone post the link that they were sent so that we can try and work out how this infiltration works? If someone outside of the account created the link, how could they use it to rest the password of that account? Is there some vulnerability between connected accounts that a follower of one account can generate a password change code for the account that it is following?
There is a video here explaining how you may be able to regain access, but we have found that if you enter the code wrong, you have to wait another day before you can get access to the face recognition part of the system, and even then it is hit and miss if you can get it or not.