This forum is in archive mode. You will not be able to post new content.

Author Topic: Outsmarting and Instagram hacker?  (Read 1859 times)

0 Members and 1 Guest are viewing this topic.

Offline veebs

  • NULL
  • Posts: 4
  • Cookies: 0
    • View Profile
Outsmarting and Instagram hacker?
« on: October 06, 2014, 09:09:48 PM »
I have come here to seek advice from the hacking experts. Is there a way to protect an Instagram account that is repeatedly being hacked/stolen? In the last week our company's account has been hacked 5 times and we have gone through all the steps (that we know of) to eliminate the variables: changed passwords/emails, revoked access to other apps, logged in with new devices etc. Can anyone give me advice and help to eliminate this hassle? Thanks 8)

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Re: Outsmarting and Instagram hacker?
« Reply #1 on: October 06, 2014, 09:27:10 PM »
Lol, you probably have a leak somewhere. When you tried everything from re-installing to only using the account on a different PC on a different network with a specially made email account, then i assume it's somebody you know who is doing it. Can you get the IP of the hacker that log's into the twitter account? Can you set-up 2 way verification?
~Factionwars

Offline veebs

  • NULL
  • Posts: 4
  • Cookies: 0
    • View Profile
Re: Outsmarting and Instagram hacker?
« Reply #2 on: October 06, 2014, 09:39:34 PM »
I know very little about coding and hacking however we believe this person is finding a way in through the access_token, which is evidently a weak spot in Instagram/Facebook's security. We are positive it is not someone we know because at this point only one person has the login information. Bear with me now as I ask: how might I figure out "the IP of the hacker that log's into the (instagram) account" and how could we set up 2 way verification for Instagram?

Offline veebs

  • NULL
  • Posts: 4
  • Cookies: 0
    • View Profile
Re: Outsmarting and Instagram hacker?
« Reply #3 on: October 07, 2014, 06:38:04 PM »
It looks like Instagram doesn't have an option for 2-way verification.

Offline rasenove

  • Baron
  • ****
  • Posts: 950
  • Cookies: 53
  • ಠ_ಠ
    • View Profile
Re: Outsmarting and Instagram hacker?
« Reply #4 on: October 07, 2014, 06:53:47 PM »
It could be that the Instagram itself is vulnerable and the hacker is exploring it. Use another Instagram if possible and see what happens..
My secrets have secrets...

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Outsmarting and Instagram hacker?
« Reply #5 on: October 07, 2014, 07:03:25 PM »
I know very little about coding and hacking however we believe this person is finding a way in through the access_token, which is evidently a weak spot in Instagram/Facebook's security. We are positive it is not someone we know because at this point only one person has the login information. Bear with me now as I ask: how might I figure out "the IP of the hacker that log's into the (instagram) account" and how could we set up 2 way verification for Instagram?
Not saying it is unhackable but don't exepect bugs like that to exist very long.
I agree with Factionwars.
Either a pc is infected with malware and or contains a backdoor of some kind.
That or there is somenoe in your email account so he can reset the password.
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline Pak_Track

  • Royal Highness
  • ****
  • Posts: 762
  • Cookies: 69
  • Paratrooper
    • View Profile
    • My Home
Re: Outsmarting and Instagram hacker?
« Reply #6 on: October 07, 2014, 07:36:18 PM »
Yep, most likely a problem on your end. I know someone who used a phishing page to get his friends login info, about 3 times in a row. The dude ended up changing his account :P
Who knows of the login info?

'Life is but a series of conflicts between the easy way and the right way.'
The more you know, the more you'll realize you know nothing. -Snayler
The problem with being a smart motherfucker is that sometimes the stupid motherfuckers think you're a crazy motherfucker.
dont u hate it when you offer help and the other person says yes -Pakalu Papito

Offline veebs

  • NULL
  • Posts: 4
  • Cookies: 0
    • View Profile
Re: Outsmarting and Instagram hacker?
« Reply #7 on: October 07, 2014, 09:29:09 PM »
So here is the history of the situation: About three months ago our company purchased the Instagram handle from a user. He dropped the name while we simultaneously changed our existing profile to the new handle. At that time we had only two iPhone devices that ever logged into the application and one email address connected. Once the hacking began (last week) we got the account back with the help of Instagram admin and changed the password as well as email address associated. We also narrowed the devices down to one iPhone logging in AND the new email was accessed from a different Mac computer. Since then our account has been re-hacked probably 10 times, we have tried creating brand new email addresses, using emails of people outside of the company's network, etc. We have also reset our company's wifi information as an additional paranoid remedy.


Back to the user access_token theory: If at one point one of our devices granted access to a third party claiming to be an app, a hacker could have retrieved our token, and as I understand, has access to our profile eternally or until we revoke access. I followed this process as outlined on Instagrams support page as though I was a third party app (http://instagram.com/developer/authentication/) and retrieve my own Client ID and Client Secret by sending myself an OAuth request. OAuth basically masks the request to login as though it is Instagram asking and once a user logs in you can retrieve their ID when it redirects you to whatever website you have requested. Here is someone doing that same thing: " http://www.breaksec.com/?p=6164 ". At this point I'm trying to figure out how to revoke the access_token even though there is no physical app attached.   Did any of that make sense?






 



Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.