Thousands of Instagram users have reported that their accounts have been hijacked over the past few weeks. The attacks involve users being locked out of their accounts with their email addresses changed to .ru domains, Mashable reports.
The account hijackers seem to have been able to disable two-factor authentication (2FA) on at least one user's account. The user told Mashable that Instagram alerted him to this change via email, but that he didn't see the email message in time to take action.
The account hijackers have changed many of the victims' avatars to animated characters from Disney and Pixar films, and deleted their bios. However, there haven't been reports of deleted photos or other suspicious activity on the compromised accounts, an indication that the attackers may plan to use them as spam bots or as components of a future attack.
What should you do? Because the Mashable piece didn't specify whether this was happening to iPhones, or to Android phones, or both, we don't really know exactly how these account takeovers are happening. It may be that the affected users reused their Instagram credentials for other accounts, and that those accounts had their credentials exposed in the massive LinkedIn or Yahoo data breaches of the past few years.
The best thing to do right now to is to change your Instagram password to something strong and unusual and — this is very important — to make sure that password is not used for any other account. A password manager will help a lot with that.
In any case, it's a very good idea to have two-factor authentication enabled on your Instagram account, and to keep a close eye out for any email message saying that 2FA has been disabled — and to try to lock down the account right away if you get that message.
The bad news is that Instagram's 2FA implementation at the moment uses only SMS text-based notification messages, which is the weakest kind and the kind most likely to be stolen by SIM hijackers who, well, seem to be interested mainly in stealing Instagram accounts right now. (It's getting worse, though — Reddit itself was hacked earlier this month via a SIM hijack that targeted site administrators.)
Frankly. this is pretty sloppy on Instagram's part. It should let users have more secure forms of 2FA, such as authenticator apps or USB security keys. Facebook lets you do both — there's no reason its corporate cousin Instagram shouldn't as well.
Even though Instagram's 2FA is kind of weak, though, it's better than not having 2FA. You should also make sure that you aren't providing your Instagram credentials to any suspicious third-party apps or websites.
A number of affected Instagram users have had trouble getting their accounts back. One user told Mashable that the email Instagram sent in response to their complaint led to broken links. The account recovery process, once an email has been changed, is largely automated, and users are reporting being locked out for days, unable to contact Instagram.
Instagram stated in a blog post that it has "dedicated teams helping people secure their accounts," and that it is working on implementing a more secure method of two-factor authentication.