It has been reported that Instagram has revealed a flaw in its systems revealed “a number of” stars’ phone numbers and email addresses to cyber-attackers.The Facebook-owned social network has emailed verified members, usually prominent figures, to let them know. It said it believed “one or more” attackers had targeted high-profile stars to get their contact information. Instagram said passwords had not been stolen but warned users to watch for suspicious activity on their accounts. IT security experts are commented below.
Mark James, Security Specialist at ESET:
“There is one thing that anyone in the IT business will tell you- is if you use, create, own or develop software then one thing is certain…software is not 100% secure! There is always the possibility that someone, somewhere could find a vulnerability or exploit that may enable an attacker to gain control or get access to information they should not normally be able to.
We all expect the big players to invest millions in securing their applications, and they rightly do, but when stories like this emerge it just goes to highlight that exploits could affect anyone. This particular flaw has enabled a potential hacker to obtain phone numbers and email addresses through a bug in its software; this info could enable further scams or phishing attacks to be more successful. This could simply be down to rogue messages asking you to verify further details sent to either of these methods, trying to trick you into thinking your accounts are at risk ( which they are ).
Of course you are powerless to protect yourself from these types of issues but you can protect your accounts from the consequences of such attacks. One of the best methods is without a doubt two-factor authentication. This sets up an additional level of security that will alert you if someone tries to log into your account without your knowledge and is usually extremely easy to configure and set up. Of course the usual advice of secure unique passwords will help to keep you safe but it won’t help you if your password is compromised, whereas two-factor authentication will.
Instagram have stated the flaw occurred “by exploiting a bug in an Instagram API” but they have now fixed the problem. Always be wary of anyone asking for your account details through text or emails; if in doubt delete or ignore them and change your password immediately- and go configure two-factor authentication immediately.”
Lee Munson, Security Researcher at Comparitech.com:
“High-profile Instagram users can breathe a small sigh of relief after the Facebook-owned social network yesterday revealed that no passwords had been swiped in the recent breach of the photo-sharing site.
They’ll need to catch their breath quickly though as other sensitive information has fallen into the hands of those responsible for the hack.
With telephone numbers and email addresses out in the wild, superstars and Z-list celebrities alike will need to be on their guard in the coming weeks as the attackers may just use those contact details for other nefarious purposes.
Not only that, Instagram is also warning against suspicious activity on accounts which seems strange, given the bug has been fixed and passwords left untouched.
To be on the safe side, rich and famous Instagram users should probably change their login credentials anyway, remembering to make their passwords complex and unique to each online account they have.
If their busy lives make remembering all those passwords too much of a challenge, a password manager would be the obvious answer.”
Dean Ferrando, Systems Engineering Manager (EMEA) at Tripwire:
“The more individuals allow access to their data through social media, like Instagram, the more avenues there are for attackers to try. It’s good to remember that social media sites view people merely as a source of income. They are only concerned with the security of your data to the extent that the law requires. This is why it is critical for users to take responsibility of their own security. Password reuse and enabling two-factor authentication should be mandatory for every user of social media and can help reduce the risk of attack.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.