Instagram is testing out a new, in-app process to make it easier for users to regain access to accounts overtaken by cybercriminals.
In recent years, the site has been grappling with a growing problem of successful account-takeover attempts, including via apparent mass campaigns that we also wrote about recently (here and here). ESET research has also uncovered a bunch of Android apps in Google Play that were designed to steal Instagram credentials.
The platform's new account-retrieval method is intended to do away with what has often been a laborious process that could involve long waiting times and back-and-forths with its customer support. The site could previously also ask you to supply a selfie in which you would hold up a sheet of paper with an Instagram-supplied code handwritten on it in order to prove you’re the legitimate account holder.
And yet, this hasn’t always helped victims get their accounts back. This should be a thing of the past according to the new recovery process first detailed by Motherboard, which cited an emailed statement from the photo-sharing platform.
The ‘new order’
Under the new rules, if you repeatedly input an incorrect password – such as because your account has been invaded by a hacker who wasted no time in changing the login credentials – the Instagram app will ask you for your contact information of choice. You could, for example, input the email address or phone number you used to sign up for the service, so that you can reclaim access to your account even if the ne’er-do-wells have altered the username or associated contact information. (The same prompt will appear if you simply tap the "Need more help" option on the app's login screen.)
From there, you will receive a six-digit access code that will enable you to retrieve your profile.
The social platform also aims to address the scenario where the hackers have also overtaken either the email account or phone number tied to an Instagram account. "When you re-gain access to your account, we will take additional measures to ensure a hacker cannot use codes sent to your email address [or] phone number to access your account from a different device," an Instagram spokesperson was quoted as saying.
Also part of the new safeguards is a mechanism to foil account hijacking aimed at grabbing high-profile aliases before holding the victims for ransom or selling the handles off for hefty gains on underground markets. Any changes to an account, including those made by its genuine owner, will result in a temporary freeze on the username, so that it "can't be claimed by someone else if you lose access to your account". This feature, which will give people some time to claim their accounts back, is available on Android at the moment but will also roll out on iOS soon.
Meanwhile, a human review will still be needed in “edge cases”, writes PCMag, including when hackers take control of both the email address and the mobile phone number tied to an (also hijacked) Instagram account.
Hard to hack
The Facebook-owned service may still fine-tune the new system over the next few months, as its wider availability remains unclear. Still, it’s best not to have to go through any account recovery process, streamlined or not.
Restricting who can view your personal information, locking down your account with a strong and unique password and an extra authentication factor, as well as being wary of messages targeting your credentials will go a long way towards staying safe on many a social platform. In addition, you may also want to refer to our 5 tips to help you stay safe on Instagram.