upvote

points

by xp8421 hours ago |
comments
upvoteby parable21 hours ago|
[-]
You're lucky you weren't affected by this. Several people I know with three-letter usernames had theirs stolen over the last few days.

When I recovered my account that had been stolen through this exploit (luckily, my username hadn't been changed), I was sent a code to my email address and then asked to use my TOTP code, backup code, or a video selfie. I used my TOTP code and was let in just fine. They certainly have the ability to make such a feature. Keep in mind, however, that several unpatched TFA bypasses exist for Instagram currently. People offer it as a service for around $1,000 on Telegram. Where there's a TOTP code input, there's a way to bypass it.

reply
upvoteby xp8418 hours ago|
parent|
[-]
Very interesting. I found it odd that when I happened to open IG yesterday, I was prompted to log in, and my password didn't work. I asked it to send me a link to my email and got in that way, and didn't have time to look into it further.

So I went to check it again just now after reading your comment, and I was immediately as soon as I opened the app, prompted to create a new password, which I did.

very very sketchy things going on here. But I'm glad that they didn't fully allow my account to be stolen :/

reply