Recently, hundreds of Instagram (IG) users complained to Instagram that they cannot login their IG accounts since their accounts have been switch off suddenly, emails and passwords and personal information changed by someone. Some of them were using two-factor authentication but their accounts still hacked.
According to victim users’ statements, the suffix of changed email addresses are “ru.” which belongs to the Russian domain name. Some people conjecture that the hacker may come from Russia or pretend to be a Russian. It will be the first time Russian hackers have abused social media if the conjecture is right. Moreover, the intention of hackers is not confirmed yet since the hackers just changed the icon to Disneyland characters for those hacked Instagram accounts and did not do anything else so far.
Some experts say that the vulnerability maybe related to SIM card. Instagram’s two-factors authentication only supports SMS as a dual authentication factor in addition to passwords, the hackers may use SIM cards to invade Instagram user accounts, making Instagram a non-SMS two-factor authentication.
Two-factor authentication can be broken by phishing, so back up before that if you want not to be victim.