Last week, Selena Gomez's Instagram account was taken over by hackers who posted to its feed explicit photographs of the singer's ex-boyfriend, Justin Bieber. Gomez regained control of her account (which is the most followed account on the platform, with over 125 million followers) and the offending photos were erased, but the incident foreshadowed soon-to-appear much wider-spread problems.
Several days ago, Instagram announced that it had fixed a vulnerability that had apparently previously allowed unauthorized parties to obtain the email addresses and phone numbers associated with Instagram accounts, even when such information was supposed to be private and inaccessible to parties other than respective account owners. Armed with the pilfered information, criminals could potentially have attempted to trigger and intercept password reset messages or to phish or otherwise social engineer Instagram users -- which may explain how Gomez's account was breached.
Before the bug was fixed by Instagram, a hacker, or group of hackers, apparently stole a significant amount of data that he/she/they are now offering for sale online at a price of $10 per record (payable in Bitcoin, naturally), terming the searchable database of pilfered Instagram information "Doxagram." The Daily Beast claims to have verified some of the data supplied by the hacker/s as authentic.
The party responsible for Doxagram says that it amassed data from over six million users. Of course, Instagram has over 700 million active monthly users, so six million is fewer than 1 percent of the total Instagram userbase -- but, it still represents many potentially unhappy people.
Among the accounts whose data was stolen were reportedly those of Kim Kardashian, Leonardo DiCaprio, Beyoncé, Taylor Swift, and even the White House.
Doxagram has had periodic outages as various service providers take steps to take it down, but it appears to be accessible at the present time via the Tor network. Earlier today the person or people behind Doxagram appeared to be tweeting using the Twitter handle @doxagram_insta; Twitter has since suspended that account. Ironically, shortly before the Doxagram account was shut off, its operator tweeted a reminder for anyone using the system to purchase stolen data to "Please keep your login information safe. Use a strong password. We can't do anything if your credit gets used by someone else." Yes. That would be hackers advising people buying stolen information how not to become victims of hackers.
So, how can you best protect your Instagram account?
1. Use multifactor authentication.
2. Use a unique, strong password. For advice on how to select a strong, easy-to-remember password, please see my article "How to Create Strong Passwords That You Can Easily Remember."
3. Keep your Instagram app up to date.
4. As Instagram has advised, "Be vigilant about the security of your account, and exercise caution if you observe any suspicious activity such as unrecognized incoming calls, texts, or emails." Do not respond to emails or texts asking you to reset passwords or the like. Never click links in emails or text messages to access Instagram; instead, access the social network via the app or by typing https://instagram.com into a web browser.
5. If you ever receive an Instagram password reset email and you did not request a password reset, contact Instagram. To do so tap the "..." menu from your profile, select "Report a Problem," and then select "Spam or Abuse."