How Not To Be One of Six Million Instagram Hacked Accounts
What Happened?
Instagram, social media’s beloved photo and video sharing app to more than 700 million monthly users, suffered a significant data breach last week. Originally, the hack seemed to be solely focused on gaining access and exploiting the accounts of A-List celebrities; for example, the nude photos of Justin Bieber that were shared from Selena Gomez’s account. The criminal hackers found a flaw in Instagram’s API and retrieved users’ email addresses and phone numbers. It was later revealed that the unlawful access of Gomez’s account was just the kickoff, when in fact, the hack affected up to six million accounts.
As if circumstances weren’t grim enough already, the hackers pooled all of this personal information and created a marketplace called Doxagram. This never-ending digital terrain of contact information was a dark web database where cyber criminals could access private user details for $10 per account. Rumor has it that the private contact information of Emma Watson, Harry Styles, Beyonce, Zac Efron, Rihanna, David Beckham and many more celebrities, and was available to anyone who was willing to pay the price. The Telegraph, claims that the official Instagram account for President Trump, managed by the White House social media team, was included in the hacked 6 million accounts.
Instagram Co-Founder & CTO, Mike Krieger, released a statement that spoke to the breach and recommended users to enable to feature of two factored authentication. Instagram shouldered most of the responsibility for the hack, and they assured their users that a “low percentage of Instagram accounts were impacted.” To be clear, even at less than one percent of all accounts, six million isn’t a small number. Fortunately, the passwords of the user accounts were not released; however, email addresses and phone numbers may be all the information an experienced hacker needs to gain access to a user’s profile.
What Does Two Factor Authentication Really Mean?
Let’s dive deeper into Instagram’s recommendation of two-factor authentication. In order to do so, we need to understand what authentication actually is. Authentication is simply verifying an identity. An easy way to visualize authentication is to picture the following scenario: You can say “I am Selena Gomez.” You are claiming the identity of Selena Gomez. But to truly prove that you are Selena Gomez, you need to verify that identity. The process of verifying an identity is called authentication.
Part of the CISSP exam, Domain 5: Identity and Access Management, teaches that there are three ways to authenticate: something you know, something you have, or something you are. The following chart helps detail the three authentication types.
Authentication Type |
Description |
Examples |
Type 1 |
Something You Know |
Password, PIN, Finger Stroke Pattern |
Type 2 |
Something You Have |
Token, Smart Card |
Type 3 |
Something You Are |
Fingerprint scanner, Voice recognition, Iris scanner |
Multi-factor authentication is authenticating using two or more factors. For example, when withdrawing money from an ATM, you must first insert the card (something you have), and then enter the PIN associated with that card (something you know) to complete the transaction.
When two authentication methods from the same type are used together, the strength of the authentication is no greater than it would be if just one method were used because the same attack could jeopardize both authentication methods. By contrast, two factor authentication makes it harder for attackers since they’ll need to double their efforts and launch two successful credential attacks.
The new CompTIA Security+ SYS-501 exam content takes multi-factor authentication a step further, by introducing two more factors, for a sum of five different ways to confirm your identity. In Domain 4: Identity and Access Management, they teach two more types of authentication by requiring the answers to “something you do” and “somewhere you are.”
Authentication Type |
Description |
Examples |
Type 4 |
Something You Do |
Signature Comparison, Typing Technique |
Type 5 |
Something You Are |
Location Service, IP Address |
The “something you do” authentication refers to the user’s behavioral characteristics, and it verifies your identity through an analysis of your penmanship. For example, everyone has a special technique when signing their name or even the way you type in your password is unique in its own way as well. On the other hand, the “somewhere you are” authentication uses the geolocation of the user to confirm their identity. For instance, when you’re signing in to your bank account from a different than usual location (you’re on vacation or using a different computer), you’re most likely confronted with another security question because the application doesn’t recognize your IP address. Five different ways to prove that you are who you say you are may seem like overkill; but, keeping your credentials out of the hands of hackers or cyber criminals is worth it.
Real World Lessons
Instagram’s hack proves yet again that no organization is safe. Individuals need to be aware of cyber risks in the apps and digital services that they use. End users should leverage all optional authentication tools made available through those services to minimize cyber risk. To become an expert on authentication and other cybersecurity best practices, consider earning your CISSP or Security+ certification and pioneer efforts to be more vigilant among your colleagues and peers.