Dutch police have arrested two teenagers suspected of hacking hundreds of influential Instagram users and exploiting their tens of thousands of followers.
The Instagram photo sharing site is owned by Facebook and has over 400 million active users worldwide.
The 18 and 19 year-old males - from towns near Rotterdam and The Hague - are accused of stealing the passwords from key Instagram account holders, who may be in Holland or other countries.
Police claim the hackers then earned tens of thousands of euros by exploiting their access to these accounts to peddle advertising opportunities to legitimate companies - promising to send out Instagram posts promoting their products.
The arrests have been revealed by the Dutch Broadcasting Foundation (NOS), Holland's largest news organisation. NOS says the suspects conned their victims by sending fake emails supposedly from Instagram which directed them to a lookalike site where they captured their passwords.
“We are still investigating how many victims there are precisely and in which countries,” NOS said. But it confirmed the accused intercepted hundreds of account passwords.
They then homed in on those accounts with tens of thousands of followers and approached companies to advertise to them. NOS said the hackers actually posted advertising photos on the hacked accounts.
"These companies probably did not realise that they were dealing with hackers," said a Dutch police spokesperson. "They made decent amounts that were diverted and converted into bitcoins." NOS confirmed suspects made tens of thousands of euros.
Their arrests have highlighted the issue of two-factor authentication (2FA) protection on major sites, as the compromised Instagram accounts reportedly did not have 2FA switched on, making the hackers' job a lot easier.
Instagram is currently rolling out the same 2FA protection that has been available for several years on parent company Facebook's site – and independent security expert Drew Perry, chief cyber analyst with the Ascot Barclay Cyber Security Group, said 2FA for Instagram “is well overdue”.
“It is surprising it has taken this long considering parent company Facebook rolled it out in 2011 and are at the forefront of security research,” Perry told SC via email.
“This large-scale account compromise via simple phishing techniques reinforces the need for mandatory 2FA policies for business accounts or accounts with a significant number of followers, but in practice this may be difficult to implement due to multiple individuals controlling single accounts.
“2FA is not bullet-proof but to bypass it would take time and significantly more effort. While simple attack methods continue to be successful there is quick profit to be made. Raise the bar by implementing best-practice authentication methods and these type of attacks quickly disappear."
Webroot senior threat research manager David Kennerley agreed, telling SC via email: “This appears to be a simple attack that could have been prevented firstly with user education and secondly if the victims were using 2FA. Without access to a second form of authentication the hacker would have had far greater difficulty in gaining access to the account and in all likeliness, would have moved on to another target.
“Instagram moving to a two-factor approach to authentication isn't before time. Other online companies such as Amazon are following and it is only a matter of time before we see it as an option for all online accounts.
“Too often security loses out to convenience as technology advances. Given the mobile nature of Instagram, customers could easily use their devices as a second form of authentication, making the account more secure but with relatively little impact on the user.”
An Instagram spokesperson confirmed to SC via email: “We began rolling out two-factor authentication to the Instagram community earlier this year. 2FA is an optional feature that adds a second step to the typical login process — after entering a password, you have to provide an SMS code that has been sent to your phone (something potential hackers would not have access to).”
Instagram declined to comment specifically on the Dutch case but added: “The safety of our community is our most important responsibility, and we invest in extensive controls, easy reporting and the best available technology to flag and block suspicious content and accounts. In the unusual event something gets through our systems, we take action immediately.”