A security researcher recently discovered a flaw in the way Instagram handled the validation of password reset codes. This defect means an attacker could request one million password reset codes within a ten-minute window and with 100% success.
My Instagram account was hacked last night (despite my clever password “password”). We apologize, and we thank everyone who brought it to our attention. I’m going back to sleep now.
— Ellen DeGeneres (@TheEllenShow) August 23, 2019
It is fortunate that a white hat hacker identified Instagram’s vulnerabilities before a malicious actor did. However long the vulnerability was left unpatched, hackers with malicious intentions could have exploited millions of Instagram accounts for their own personal gain, such as spreading spam, misinformation and propaganda or demanding a hefty price for the return of the accounts or account details to their rightful owners.
While the Facebook security team addressed the vulnerability upon notice, companies cannot solely rely on point-in-time testing by security researchers or IT personnel. Enterprises and organizations that manage large amounts of consumer data must utilize comprehensive security strategies that leverage real-time, contextual and continuous authentication and authorization management that identify anomalous behavior. Additionally, these real-time strategies must prompt further action for authentication, such as identity verification, when an unknown user is accessing a database of customer information, to put more barriers between threat actors and sensitive information.