Instagram: where security is job 1.1a.

When some script kiddie tries to halfassedly take over my account, is there any way to tell Instagram, "that's not me, I am under attack, stop texting me once a minute"?

I have not tried replying with "STOP" as I'm pretty sure that would be interpreted as "stop informing me about the ongoing attack, but by all means allow it to continue."

Facebook just sucks at everything, don't they.

Previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , ,

20 Responses:

  1. Krisjohn says:

    Change your IG email address to something ungoogleable.

    • Wout says:

      Great idea!

      I love using the + feature of emails for that. E.g.

      (Of course, if Microsoft is your email provider, it won't work, that goes without saying)

      • tfb says:

        What I discovered when doing that is that a deeply amazing number of people don't use an RFC822 parser to check addresses are valid, despite the availability of such things in dozens of languages, and instead puke all over the '+'. OK, no, not deeply amazing: just depressing.

        To this day I get email from, which long ago used to have some competently written email address parser but then got rewritten in some shiny framework written by morons, such that I can no longer log in to even tell it to delete the address it is spamming.

        • jwz says:

          Yes, I've also discovered that "+" simply doesn't work on the Modern Internet. You have to add a custom alias for such things.

        • Ham Monger says:

          A surprising totally unsurprising number of sites aren't happy with hyphens in email addresses either; apparently email addresses can only contain [a-zA-Z0-9]. (I assume if they can't figure out + or -, . and _ is obviously beyond them too. Some sites even force uppercase, which is especially quaint.)

          I've slowly started migrating from to since I'm making a new alias anyway. I'm sure I'll run into new amusement like expletive filters or stupidly short limits on address length, but at that point making an account will obviously be too much effort and I can go about my day having saved myself the burden of a new account.

    • jwz says:

      I changed the email address to be un-guessable, and I'm still getting the "we've made it easy to get back on Instagram!" emails to that new address, which means that the person requesting the reset is not required to know what the email address is.

      How very.

      • Yeah, all they need is a username to request a password reset. I'm not sure what the con is here, because the reset will always go to my email account, which they don't have access too... so why do they try?
        Anyways, I've gotten a half dozen emails from instagram in the past two weeks that were trying to help me sign back in to IG. So I'm guessing it's a recent trend or exploit people have figured out.

        • jwz says:

          The con to be worried about is that they manage to do a SIM hijack so that they start receiving your text messages, which gets them the IG account, and possibly also the email account. And with most telcos, succeeding at a SIM hijack seems to be just a matter of persistence.

          So the reason all of these SMS messages concerned me was that it can indicate that a SIM attack is also in progress, which is not something that is easy to defend against.

          • Ham Monger says:

            Hilariously, doesn't that mean stopping the texts actually makes your account safer, even though it means they're not telling you about the dictionary attacks?

          • thielges says:

            Maybe the exploit is a simple brute force technique. Some “forgot my PW” mechanisms validate by texting you a temporary 6 digit code. Even if the attacker doesn’t intercept that code, they can always guess and have a 1/1000000 chance of being right. Persistence will eventually meet luck.

      • jwz says:

        Oh, and here's something even stupider. Turns out, I have TOTP 2FA turned on for this account. So why the ever-loving fuck is it even allowing a password reset by SMS?

  2. dmca says:

    I can confirm, facebook and ig security today are as bad today as yahoo used to be years ago. Something is rotten in the heart of facebook. And there seems to have been no real improvement in its account security in the last five years. I think they are just too big to care.

  3. thielges says:

    This type of attack is so easy to thwart that it indicates either extreme naïveté or apathy.

    “For this week’s CS102 assignment, modify your ‘forgot my password’ handler to throttle requests to once every 10 seconds per userid. Then add a one day lockout after ten failed attempts. For extra credit tie lockouts to IP. “

  4. Jeffrey W. Baker says:

    If, like me, you also get 400+ password reset emails from IG every day, there's a link in the email where you can disable password resets from devices that aren't already registered to your account.

    • jwz says:

      That link has not been in the email when I have gotten those emails in the past. And for the last two days, I haven't been getting password reset emails at all, only text messages.

  5. jwz says:

    Lookin' good there, Instagram. Great look.

  6. d.w. says:

    I’m in the middle of one of these attacks right now — 43 SMS in the last hour.

  • Previously