The Value of a Name
I woke up to a text on Saturday morning that was only about twenty minutes old: “Google Account password changed.”
Shit. It had happened.
For as long as I've been using Instagram people have wanted my short, two-letter username. Like here on Ello, I am @gb on Instagram. Some people have asked politely, some have dug up my email address and offered to buy it, but more than anything, multiple times per week I get password reset emails from Instagram that I didn't request, and every so often, I would get authorization code texts for the Gmail account that was tied to my Instagram handle. When I saw that text—the one about my password being changed—I knew someone was after my Instagram account.
I jumped out of bed and to my computer: sure enough, I couldn't get into my Google account. I couldn't get into my Instagram account. I was able to regain access to Google by re-authenticating my phone (the hackers had removed it from my account, but Google has a short window where it can be re-added, even if you no longer have access to the account). But, unfortunately, it was too late for Instagram.
I poked around a bit: only my Instagram account seemed to have been compromised. Once they had access and re-assigned the @gb handle to another account, I believe they deleted my account entirely. Friends could no longer find it in the app, and any photos I had taken of them disappeared.
How did this happen? I had two-factor authentication turned on for Google (remember how I said I would occasionally get auth code texts that I hadn't requested?). I use 1Password and passwords I use to each service are painfully-long, complex, and unique. I was baffled.
I'll keep the main details brief, partly because I only have knowledgeable guesses about what happened, and partly because I worry that too many details could leave myself and others vulnerable again.
I filed a support request with Instagram, reporting the hack (thanks @benjaminchait for finding me that link). An online buddy who had been through his own issues with hackers before guided me through checking my Gmail account and ensuring other accounts hadn't been compromised:
* make sure no new filters exist
* make sure email forwarding hasn't been enabled
* check the trash and folders for other service password reset emails that might have been purposefully hidden
And then I changed so many passwords. Don't get me wrong, I had some peace of mind because I knew my passwords were unique across services, and as far as I could tell, no other services had been compromised, and I had regained control of my Gmail account, but it still seemed like a good precaution.
I went outside, rode a bike, and tried to go on with the rest of my weekend, hoping I would hear back from Instagram on Monday with some good news.
The Weakest Link
There was still a lingering question in the back of my mind: I thought I'd done everything right. I considered myself fairly security-savvy. How did this happen? It's a humbling feeling.
On Saturday, I had tweeted about the attack. Several people retweeted me and it cast a wide net. One of those people was Mat Honan, a senior staff writer at Wired. Mat has his own history in dealing with these kinds of attacks. On Monday, he kindly reached out to me suggesting he might have some information and we arranged a phone call.
Again, specific details from this point are murky, but he suggested that I check with my cell phone provider and make sure that call-forwarding had not been enabled on my number without me knowing. Creepy, I thought.
I called, and sure enough, as of Saturday morning my number had been forwarded to a number I did not recognize. Unreal. So, as far I can tell, the attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.
Resolution and Learned Lessons
As you might imagine, my cell phone provider was fairly non-plussed about the ordeal. They assured me I wouldn't be responsible for any charges to my account I didn't authorize, but also assured me that no one but me could make changes to my account. Ironic, I know.
The takeaway: It is possible to add a voice authorization code to your account that the CSR is supposed to prompt from you to ensure changes can only be made to the account by you. I added that code and you should too. It's likely it may not have helped, but it's something.
This one is still a black box to me. I can't find a way to report the incident to Google, and my cynicism tells me they deal with this kind of stuff enough that they wouldn't provide me with much information or resolution even if I could. I've since re-enabled two-factor auth, and I use an app to retrieve the authorization codes instead of texts.
The takeaway: My Instagram account was tied to an email that was basically my name. That was probably a mistake. I have other public email addresses, so I'm not sure how someone would have known it was my Gmail account they should go after, but it probably wasn't hard to figure out. I've since moved all important accounts that allow password reset emails to a different address that does not contain my name, you might want to consider doing that too.
Initially Instagram's support sent me an email saying that they could not verify that I had ever owned the @gb account in the first place (despite the fact that they had made me a Suggested User to Follow for a time) and would not be able to take any further action. Bummer.
Thankfully, some friends in high places did some digging and prodding and an Instagram team member got in touch with me personally and worked to restore my username and account. In the end, I really appreciate their effort and kindness.
A Word on Two-Factor
In this particular case, it seems that two-factor authentication wasn't the security cure-all that many of us in the industry want it to be. However, I still think it's a good idea and I have it enabled on any accounts that allow it (I did before the attack). Nothing is foolproof, and nothing is perfect, but it certainly makes it a lot harder for people to get into your digital stuff when you don't want them too.
In the end, like anything else in life our digital stuff is just that: stuff. I'm pretty lucky. The folks that went after me really wanted just one thing and one thing only, it seems. It could have been a lot worse. It shakes you to feel like something you “own” is taken from you, but you can only take the reasonable precautions and then just let it go.
Go outside. There’s no internet out there.