Instagram hack is locking hundreds of users out of their accounts

Recovery options are being changed to .ru addresses by an unknown threat actor.

Instagram has been hit by a widespread hacking campaign which appears to have affected hundreds of users, leaving them unable to recover their accounts.

As first reported by Mashable, increasing numbers of Instagram users are finding themselves barred from their own accounts.

Login attempts appear to be failing, and when password reset and recovery emails are requested, many users are reporting that the email addresses linked to their accounts have been changed to .ru domains.

While it is unknown who is behind the compromise, the use of .ru email addresses may indicate the source is from Russia -- or threat actors pretending to be from the country.

Usernames, profile images, passwords, email addresses and connected Facebook accounts are being changed, according to victims. A connection made between the compromised accounts is the use of Disney or Pixar characters when new profile pictures have been uploaded.

According to the publication, hundreds of users of the image sharing platform have reported account locking problems. At the time of writing, users are still being targeted and are tweeting directly to Instagram in desperation to get their accounts back.

TechRepublic: Instagram IGTV: 3 ways businesses can use the new service

It is not known how many victims implemented two-factor authentication (2FA) in their accounts. As email addresses have been changed, alongside other contact information, users involved in the hack are likely to have a tough time recovering their accounts.

Users on Twitter have found the recovery process for Instagram accounts to be frustrating. Some victims say that despite going through all the necessary steps, the platform has yet to assist and the automated systems that Instagram uses for account recovery have not proved effective.

One Instagram user commented on Twitter that they have waited five days, and another said it took two and a half weeks for Instagram to return their account.

It may be that the accounts have been exposed to attack due to a lack of 2FA, lax password security, or a successful phishing campaign.

CNET: It's time to take a long, hard look at our Instagram etiquette

"We work hard to provide the Instagram community with a safe and secure experience," an Instagram spokesperson said. "When we become aware of an account that has been compromised, we shut off access to the account and the people who've been affected are put through a remediation process so they can reset their password and take other necessary steps to secure their accounts."

When social media accounts become the targets of cyberattackers, after being compromised, messages will often be sent to contacts containing malicious links and scripts to propagate, and fraudulent content or spam will often be posted on timelines.

However, it does not appear to be the case when it comes to the Instagram incident as there have not been reports of user content being deleted or any new images being published.

See also: Apple macOS vulnerability paves the way for system compromise with a single click

As a result, Paul Bischoff, privacy advocate at Comparitech.com, believes the widespread hack may be due to a botnet. Speaking to Threat Post, Bischoff speculated that the accounts may be intended for a spam slave army.

"Even if some victims regain control of their accounts, many of those affected have likely quit the platform or just won't go through the trouble, adding soldiers to the spambot army," Bischoff added.

Previous and related coverage