Instagram has Terrible Account Security

Wednesday, April 15, 2020

A few days back, someone reached out to me suspecting that their Instagram account had been hacked. What followed was me helping them work through every available way to lock down their account and then convincing them that they had done everything and it didn’t seem like it was hacked. In the process, though, as a proof-of-concept, I followed the same procedure I helped them go through. That brings me to what I learnt about Instagram and its account security practices.

I am obsessive about the security of my online accounts, including ones that I only use occasionally. I don’t repeat passwords, I have 2FA enabled on all such services, and I use an authenticator app for it to avoid the possibility of SIM swapping. I am not an expert, but I am curious, cautious and fairly literate on security best practices. With this, I started investigating what different ways exist to identify if an Instagram account had been hacked, and what can be done to salvage it.

Instagram offers a simple ‘Login Activity’ page that provides a list of locations and devices from which your account was accessed. A quick glance at it and I suspect it comes from the IP address location provided by ISPs. (Instagram does not have access to the location data on my phone.) It potentially has duplicates of the same device, so is not foolproof, but it is a good sanity check. If there’s no device-location pair on this list that you don’t recognize (and haven’t received an email from Instagram telling you about a recent login), there’s a low probability that your account could be hacked. Great.

But what if there is an unknown device there? What do you do then? Well, you try to kick them out. Step one would be to log that device out, but that leaves the possibility that it will be able to log back in, almost immediately. Why, you ask? Well, Instagram has a surprisingly ridiculous setting, ‘Saved login information’, that is turned on by default, and saves the login information to the mobile app. So, even if you log a device out, chances are that it can log back in almost immediately given the login information is saved. Not good, but not alarming either. After all, it is a Facebook product.

So how do you actually force a login from every device? Astonishingly, there’s no way to do this. Articles all over the internet will tell you to change your password, which will force a password entry on every device. I tried that, and it worked, but only sort of.

At this point, Instagram logs out every other device that was previously logged in to the account. Cool. However, when you try to login again, it gives you a choice: a) Use Facebook to login, or b) Enter the new password (without a 2FA prompt or email notification about login). (b), in and of itself, is terrible, but it is (a) that got me even more worried. I disconnected my Facebook account from Instagram a few years back. And despite Instagram’s constant attempt to lure me into re-connecting them with dark patterns, I have resisted and consciously ensured I do not connect them together.

I tapped ‘Use Facebook to login’. Lo and behold, I was in my Instagram account! No new password, no 2FA code, no email from Instagram about a new login, no email from Facebook about my Facebook account being used to login to another service. I was in. Business as usual.

I was dazed. I checked Facebook to see if any other ‘app’ was connected to my account or had used Facebook for login. Nada.

To recap, I changed my password on a 2FA enabled, Facebook-disconnected Instagram account. On a different device, I could login to my Instagram account without my password, 2FA code or authenticating my Facebook account. I didn’t receive an email from Instagram or Facebook about the login.

In real world, what this means is that if someone gains access to your Facebook account, they can probably extend it and gain access to your Instagram account. Someone will keep chasing a red herring and try to beef up their Instagram security, all while the perpetrator can conveniently gloss over all of those changes by simply using Facebook to login to Instagram every single time, with not even a whiff to the victim.